search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.68k stars 907 forks source link

MaxQPS rule for zones/RCODE #13100

Open nlmark opened 1 year ago

nlmark commented 1 year ago

Short description

Add an option to set a max qps per zone/zonedepth dynamically. Don't let it depend on the requesting IP.

eg: MaxQPSZoneRule (qps[, labels[, burst[, expiration[, cleanupdelay]]]]) By setting the qps to for example 10 and the labels to 2 it would mean that example.com would in total be allowed 10 queries per second before the rule comes in to effect. The other rule option are inspired by https://dnsdist.org/rules-actions.html?highlight=maxqpsiprule#MaxQPSIPRule .

Usecase

Combined with an addAction it would make it possible to automatically detect levels above the threshold and handle them differently. eg sending them to a different server pool or drop them or require tcp. The idea is to make it possible to automatically drop/handle suspected attacks.

Description

Make it possible to add rules based on the zone name (or zone labels) to have an action based on the qps for it. It could also be combined with RCODE to only do it for certain RCODE levels (eg nxdomain) to defend against nxdomain attacks (by putting the attacked domain on a different server pool and that way keeping the other zones online).

rgacogne commented 1 year ago

I'm tentatively putting this into the 1.9 milestone, but we already have a lot on our plate so this feature is likely to get postponed. It will help if someone actually contributes the code, as always :-)