[dns-operations] Small datapoint on current DoS mitigation

bert hubert bert.hubert at netherlabs.nl
Thu Apr 3 08:38:09 UTC 2014

Hi everybody,

Like most people, we're currently seeing loads and loads of malicious DNS
traffic. In this post
we describe a new PowerDNS feature that so far has been remarkably
effective. I think it was inspired by a feature from Unbound, but unsure. It
was contributed to us by PowerDNS user Paulo Anes (thanks!).

What this filter does is keep tabs on authoritative servers that don't answer. After not
answering for X times in a row, the server gets blacklisted for Y seconds. 

Then, after Y seconds the server gets a new chance to answer. If it doesn't,
it immediately gets blacklisted again for Y seconds. However, if it provides
only a single answer (even if incorrect), the blacklisting gets removed.

We hear from many operators that this has successfully mitigated the impact
of this DoS both on them and on the target.

PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372

More information about the dns-operations mailing list