Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsdist: Don't count traffic from excluded subnets towards thresholds in DBRs #14583

Open
2 tasks done
wjgauthier opened this issue Aug 26, 2024 · 1 comment
Open
2 tasks done

dnsdist: Don't count traffic from excluded subnets towards thresholds in DBRs #14583

wjgauthier opened this issue Aug 26, 2024 · 1 comment
Labels
dnsdist feature request
Milestone
dnsdist-2.1.0

Comments

@wjgauthier
Copy link
Contributor

  • Program: dnsdist
  • Issue type: Bug report

Short description

I'm not sure if this should be filed as a feature request instead of a bug report, but I feel like this is somewhat unexpected. Please let me know if I should open a feature request instead.

I have configured three Dynamic Block Rules (DBRs) with varying QPS thresholds and setMasks bits. The last DBR has a very high QPS limit and setMasks configured to /16 (for IPv4) to protect against highly distributed DoS attacks. For each of these DBRs, I have excluded several subnets (using excludeRange) from which I receive high volumes of legitimate traffic.

However, traffic from one of the excluded subnets (a /21), in combination with high volumes of traffic from other parts of the /16, still results in the entire /16 being blocked by the third DBR (the one with setMasks set to 16 bits). I would expect traffic from excluded subnets not to count towards the QPS threshold.

I understand that excludeRange prevents dynamic blocks from being inserted for clients in these excluded ranges, but only if the excluded subnet has a netmask lower than setMasks, which is why I think it would make sense to exclude this traffic from counting towards the various threshold, including QPS.

Environment

  • Operating system: Ubuntu 22.04
  • Software version: dnsdist 1.9.6
  • Software source: PowerDNS repository

Steps to reproduce

  1. Create a Dynamic Block Rule with an excludeRange (the QPS threshold is lowered here to make it easier to trigger):
local dbr = dynBlockRulesGroup()
dbr:excludeRange({'1.2.32.0/21'})
dbr:setMasks(16, 32, 0)
dbr:setQueryRate(50, 10, "dbr: Exceeded threshold", 60)
  1. Generate a lot of traffic from the excluded subnets
  2. dbr is triggered and 1.2.0.0/16 is blocked

Expected behaviour

Traffic from the excluded subnet should not count towards the QPS threshold and the /16 subnet should not get blocked (unless non-excluded parts of the subnet exceed the threshold limit, of course)

Actual behaviour

Traffic from the excluded subnets is counted towards the QPS threshold and is blocked

Other information
@rgacogne rgacogne added this to the dnsdist-2.1.0 milestone Aug 26, 2024
@rgacogne
Copy link
Member

Right, the inclusion/exclusion lists were not designed with this in mind but what you are suggesting makes to me.
I'm tentatively assigning this to 2.1.0 milestone as I'm not sure I'll have the time to work on this before 2.0.0, but just to be clear I would be very willing to merge this sooner if someone is willing to work on it before that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dnsdist feature request
Projects
None yet
Milestone
dnsdist-2.1.0
Development

No branches or pull requests
2 participants
@rgacogne @wjgauthier