[Pdns-users] DDoS attack with random A requests causes SQL backend overload

Fri, 16 Jul 2021 02:33:39 -0700 

Hello,

We have received a DDoS attack on our powerdns infrastructure.
The DNS requests were all non-existing records in 1 single zone.

Eg:
  ghz2.mydomain.com
  cdzx.mydomain.ocom
  hh3r.mydomain.com

The result was that the SQL backend was overloaded with these queries and 
caused some of our servers not to respond to legitimate queries.
See here an example from the SQL log:

2021-07-13T14:50:43.459635Z      3061 Reset stmt
2021-07-13T14:50:43.463172Z      3059 Execute   SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and name='gzh1.mydomain.com' and domain_id=1280
2021-07-13T14:50:43.463989Z      3059 Reset stmt
2021-07-13T14:50:43.468001Z      3060 Execute   SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and name='cdzx.mydomain.com' and domain_id=1280
2021-07-13T14:50:43.468822Z      3060 Reset stmt
2021-07-13T14:50:43.471102Z      3061 Execute   SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and name='cvqi.mydomain.com' and domain_id=1280
2021-07-13T14:50:43.472178Z      3061 Reset stmt
2021-07-13T14:50:43.474985Z      3059 Execute   SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and name='hh3r.mydomain.com' and domain_id=1280
2021-07-13T14:50:43.475371Z      3059 Reset stmt
2021-07-13T14:50:43.478971Z      3060 Execute   SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and name='9jv9.mydomain.com' and domain_id=1280
2021-07-13T14:50:43.479399Z      3060 Reset stmt
2021-07-13T14:50:43.483063Z      3061 Execute   SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and name='boxl.mydomain.com' and domain_id=1280
2021-07-13T14:50:43.483457Z      3061 Reset stmt

The new zone cache feature is only caching the "domains" table, it's not 
caching the each record in the backend.

Is there any way how we can ensure that powerdns is caching a complete zone in 
case we are encountering a random generated dns attack on our authorative DNS 
servers?

Thank you,

David

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to