On Thu, Sep 11, 2014 at 04:38:25PM +0400, Peter Andreev wrote: > I'd like to ask the respected community, how do you detect and protect > against such activity? Will RRL help me if all suspected queries come > with random qname?
No, it will probably not, since the answers are all servfails. PowerDNS Recursor 3.6.0 and beyond contain logic that globally detects nameservers that are already dead, and stops sending further queries, it can reduce flow by 99% for example (with only 1 infrequent ping query to see if a server is up again). But we still get flooded by the traffic which wastes CPU and degrades performance. http://comments.gmane.org/gmane.network.dns.operations/3764 this thread has some wisdom too on generating filters for BIND. It should be possible to do this in some smarter fashion within a nameserver, but the real solution is to target the clients sending you such queries, which tend to be DNS forwarders or botnet members in their own right. There is far more harm they could inflict otherwise.. -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
