Hi Jasper!
Not that I can help you that much with dnsdist, but I want to share some things
we have done….
I found some measurements from 2022 on a VM with 8 vCPUs.
Dnsdist with PowerDns/postgresql Backend and random queries: 20k qps
Dnsdist (with PowerDns/postgresql Backend) and hot dnsdist
Hi Remi!
Thanks for the details.
> > Blocking all queries to the attacked domain prevents collateral
> damage, but causes a DoS to the attacked domain and makes the customer
> of the attacked domain unhappy.
>
> I fully agree, and we are working on having smarter mitigations in
> dnsdist to
> -Ursprüngliche Nachricht-
> Von: dnsdist Im Auftrag von
> Remi Gacogne via dnsdist
> Gesendet: Montag, 8. Januar 2024 17:51
> An: dnsdist@mailman.powerdns.com
> Betreff: Re: [dnsdist] Suggestions for rules to block abusive traffic
>
> Hi Dan,
>
> On 08/01/2024 17:28, Dan McCombs via
Von: Dan McCombs
Gesendet: Montag, 8. Januar 2024 17:28
An: Klaus Darilion
Cc: dnsdist@mailman.powerdns.com
Betreff: Re: [dnsdist] Suggestions for rules to block abusive traffic
Hi Klaus!
In our case we are affected as we use Pdns + DB backend as backend.
Yep, that's exactly our case
Hi Dan!
This is a known issue and we have not found a simple solution in dnsdist. And
obviously it is only a problem if the backend is slow. In our case we are
affected as we use Pdns + DB backend as backend.
1. Use a fast name server as additional backend (we used NSD) and
dynamically
> > Shouldn't newServer(...healthCheckMode='UP') also work? In my case it
> does not work.
> > I have set healthCheckMode='UP' but:
> > showServers show status as "up" whereas after setUp() the status is "UP".
> And it still does helathchecks and status goes "down" if the backend is down.
> >
>
(resent to the list)
Hi Remi!
> On 07/10/2022 10:53, Klaus Darilion via dnsdist wrote:
>
> > We use dnsdist with 1 single backend server (PDNS). So if this backend
> > is overloaded, dnsdist will detect the backend as DOWN. Hence, the only
> > server for this backend poo
:14001',name='pdns_1'} -- this is the
PowerDNS server
newServer{address='127.0.0.1:14001',name='pdns_2'} -- this is the
PowerDNS server
Is it still (dnsdist 1.6/1.7) useful/necessary to add listenSockets and
Backendserver multiple times to improve performance?
Thanks
Klaus
--
024
ulimit -n 16000
Network config/ specs are same on all three servers, are we doing something
wrong?
Regards,
Rais
-Original Message-
From: Klaus Darilion mailto:klaus.daril...@nic.at
Sent: Thursday, March 24, 2022 12:38 PM
To: Rais Ahmed mailto:rais.ah...@tes.com.pk; mailto:dnsd
Have you tested how many Qps your Backend is capably to handle? First test your
Backend performance to know how much qps a single backend can handle. I guess
500k qps might be difficult to achieve with bind. If you need more performance
switch the Backend to NSD or Knot.
regards
Klaus
>
Hi!
> Pierre Grié from Nameshield contributed an XDP program to reply to
> blocked UDP queries with a truncated response directly from the kernel,
> in a similar way to what we were already doing using eBPF socket
> filters. This version adds support for eBPF pinned maps, allowing
> dnsdist to
Hi Remi!
Am 11.08.2019 um 18:26 schrieb Remi Gacogne:
> Hi Klaus,
>
> On 8/10/19 10:30 PM, Klaus Darilion wrote:
>> I had similar results. Starting 4 listening threads and 4 receivers
>> threads (by adding the same backend 4 times) boosted my performance -
>> almost li
Am 12.07.2019 um 16:08 schrieb Remi Gacogne:
>
>
> On 7/12/19 2:52 PM, Klaus Darilion wrote:
>> That does not work. At the moment, if I want to add another domain (ie
>> rate1.com) to the "static" pool I have to check first, if the domain is
>> rate limite
regards
Klaus
PS: This is not a high priority thing, but I think it might be useful
also for other functions to not imply a final action but continue with
the rules
Am 12.07.2019 um 12:58 schrieb Pieter Lexis:
> Hi Klaus,
>
> On 7/12/19 10:34 AM, Klaus Darilion wrote:
>
Hi Remi!
Am 12.07.2019 um 10:27 schrieb Remi Gacogne:
> Hi Klaus!
>
> On 7/12/19 10:23 AM, Klaus Darilion wrote:
>> I think this may cause problems with later visualization tools. I think
>> it would be good to add an optional "name" parameter (as with newServer)
Hello!
I have a ruleset with severals whitelist (AllowAction) and ratelimit
(MaxQPSRule+DropAction).
Now, independent of these rules I would like to use different backend
pools. But now I have a problem as PoolAction() immediately forwards the
request and my blacklist/whitelist rules are not
Hi!
For performance reasons (it helps a lot) I have 3 listeners:
setLocal("0.0.0.0:53", { doTCP=true, reusePort=true, tcpFastOpenSize=100 })
addLocal("0.0.0.0:53", { doTCP=true, reusePort=true, tcpFastOpenSize=100 })
addLocal("0.0.0.0:53", { doTCP=true, reusePort=true, tcpFastOpenSize=100 })
Hello Bert!
Am 15.04.2019 um 21:23 schrieb bert hubert:
> On Mon, Apr 15, 2019 at 08:39:30PM +0200, Klaus Darilion wrote:
>> Hello!
>>
>> Is there a max number of actions, before there might be performance
>> problems?
>
> Yes. The design goal is not to have hun
Hello!
Is there a max number of actions, before there might be performance
problems?
During a random subdomain attack I would like to "whitelist" all real
subdomains and then rate limit the rest, ie:
-- Allow the following lables without limiting
addAction(QNameRule("www.example.com"),
19 matches
Mail list logo