Further DoS guidance, packages and patches available

Apr 3, 2014

Hi everybody,

Sadly, further DoS attacks are plaguing the world of DNS, which is bad for the targets of those DoS attacks, but also for us DNS operators that help originate them.  This post has guidance on how to make sure your PowerDNS Recursor mitigates the current attacks.

If you are under attack and need help, we’re there for you, and feel free to contact us on powerdns.support at powerdns.com.

* The attack

A current pattern of attacks is to register a domain with lots of ‘nameservers’, and then get botnets to create queries for that new domain.  Resolvers around the world then barrage these ‘nameservers’ with queries. And of course, these nameservers aren’t nameservers, they simply are targets of a DoS attack.

By crafting things just so, this creates a powerful packet amplifier, with one botnet packet turning into many many packets to the targets of the attack.

Some further details are on http://dnsamplificationattacks.blogspot.nl/2014/02/authoritative-name-server-attack.html

* What we can do about it

Although PowerDNS already checks if a server might be down, and will limit how often it queries it, this limitation does not stand up to the random nature of these attacks.

DoS victim Paulo Anes has contributed a filter that can aggressively filter out queries to dead servers, it is described in https://github.com/PowerDNS/pdns/pull/1300. Thank you Paulo!

We’ve since deployed this filter in many places, and it works VERY well against the current attacks. We recommend setting server-down-max-fails=32 for most servers, and server-down-max-fails=16 if under heavy attack.

Additionally, please make sure to read https://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ for how to properly size your operating system for dealing with incoming attacks.

* How can I get this filter?

The filter is part of our 3.6.0 release. Please find it on our Downloads page

* Further questions

If you have further questions, or are currently under attack and need help, please feel free to contact powerdns.support at powerdns.com.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS


Related Articles

DNS cache snooping attack

We have been getting questions about “DNS Server Cache Snooping Remote Information Disclosure” attacks lately, mostly coming...

Remi Gacogne 06/3/21

Diverting recursor-to-auth attacks

We get frequent reports from users/customers about various DNS-related attacks they are facing on either their...

Peter van Dijk 12/6/14

PowerDNS Recursor and the SAD DNS attack

Short version: the PowerDNS Recursor already implements mitigations to the SAD DNS attack. However, our users will likely be...

Peter van Dijk 11/3/20

DNS performance metrics: the logarithmic percentile histogram

DNS performance is always a hot topic. No DNS-OARC, RIPE or IETF conference is complete without new presentations on DNS...

Peter van Dijk 11/5/17