PowerDNS
dnsdist: Don't count traffic from excluded subnets towards thresholds in DBRs
- [X] This is not a support question, I have read about opensource and will send support questions to the IRC channel, Github Discussions or the mailing list.
- [X] I have read and understood the 'out in the open' support policy
- Program: dnsdist
- Issue type: Bug report
Short description
I'm not sure if this should be filed as a feature request instead of a bug report, but I feel like this is somewhat unexpected. Please let me know if I should open a feature request instead.
I have configured three Dynamic Block Rules (DBRs) with varying QPS thresholds and setMasks bits. The last DBR has a very high QPS limit and setMasks configured to /16 (for IPv4) to protect against highly distributed DoS attacks. For each of these DBRs, I have excluded several subnets (using excludeRange) from which I receive high volumes of legitimate traffic.
However, traffic from one of the excluded subnets (a /21), in combination with high volumes of traffic from other parts of the /16, still results in the entire /16 being blocked by the third DBR (the one with setMasks set to 16 bits). I would expect traffic from excluded subnets not to count towards the QPS threshold.
I understand that excludeRange prevents dynamic blocks from being inserted for clients in these excluded ranges, but only if the excluded subnet has a netmask lower than setMasks, which is why I think it would make sense to exclude this traffic from counting towards the various threshold, including QPS.
Environment
- Operating system: Ubuntu 22.04
- Software version: dnsdist 1.9.6
- Software source: PowerDNS repository
Steps to reproduce
- Create a Dynamic Block Rule with an
excludeRange(the QPS threshold is lowered here to make it easier to trigger):
local dbr = dynBlockRulesGroup()
dbr:excludeRange({'1.2.32.0/21'})
dbr:setMasks(16, 32, 0)
dbr:setQueryRate(50, 10, "dbr: Exceeded threshold", 60)
- Generate a lot of traffic from the excluded subnets
- dbr is triggered and 1.2.0.0/16 is blocked
Expected behaviour
Traffic from the excluded subnet should not count towards the QPS threshold and the /16 subnet should not get blocked (unless non-excluded parts of the subnet exceed the threshold limit, of course)
Actual behaviour
Traffic from the excluded subnets is counted towards the QPS threshold and is blocked
Other information
Right, the inclusion/exclusion lists were not designed with this in mind but what you are suggesting makes to me. I'm tentatively assigning this to 2.1.0 milestone as I'm not sure I'll have the time to work on this before 2.0.0, but just to be clear I would be very willing to merge this sooner if someone is willing to work on it before that.
