Berlin Adminstammtisch Presentation on DNSdist

Slides and notes on my dnsdist presentation from November 3rd

November 4, 2016

On November 3rd I did an introductionary presentation on dnsdist during the monthly Adminstammtisch in Berlin. The presentation was entitled “dnsdist: the high-performant, DoS and abuse-aware DNS loadbalancer”. Here are the slides.

For those who don’t know, dnsdist is a DNS firewall/loadbalancer that is fully configured in Lua and provides (among many things) live DNS traffic inspection without slowing down the server. It also has a minimal memory-footprint.

In true daredevil fashion, there was a live-demo involved. Below I’ve reproduced the dnsdist config:

controlSocket('0.0.0.0') -- for the console
setKey('MXNeLFWHUe4363BBKrY06cAsH8NWNb+Se2eXU5+Bb74=') -- for crypto
webserver("127.0.0.1:8080", "geheim2") -- Enable the webserver for live-graphs and overview
carbonServer('37.252.122.50', 'lieter-demo', 10) -- Send stats to the public PowerDNS metronome (https://metrics.powerdns.com)

-- Add 11 listen sockets so we can have multiple clients connecting
addLocal('127.0.0.1:5300')
for x in pairs({1,2,3,4,5,6,7,8,9,10}) do
  addLocal('10.0.0.' .. x .. ':5300')
end

-- Default pool with 3 recursors
newServer({address='127.0.0.1:5301', name='backend1'})
newServer({address='127.0.0.1:5302', name='backend2'})
newServer({address='127.0.0.1:5303', name='backend3'})

-- One abuse recursor
newServer({address='127.0.0.1:5304', name='backend4', pool='abuse'})

function maintenance()
  addresses=exceedQTypeRate(dnsdist.TLSA, 2, 10) -- Get all addresses that asked for more than 2TLSA records in the last 10 seconds
  addDynBlocks(addresses,"Exceeded TLSA",60) -- Block them for 60 seconds
end

And here are some of the commands entered into the dnsdist console:

-- Block all .ru domains
addDomainBlock("ru.")

-- Create a netmaskgroup and add a single address to it
nmg = newNMG()
nmg:addMask('127.0.0.1/32')

-- Match on the netmaskgroup and QTYPE AAAA
selector = AndRule({NetmaskGroupRule(nmg), QTypeRule(dnsdist.AAAA)})

-- Delay these queries by 1500 millisecond
addAction(selector, DelayAction(1500))

-- Allow a maximum of 3 queries per second to powerdns.com
addQPSLimit('powerdns.com', 3)

-- Sens add traffic for google.com (and everything below it) to the abue pool
addPoolRule({'google.com'}, 'abuse')

-- Add a packet cache of 10000 entries to the default pool
pc = newPacketCache(10000, 86400, 0, 60, 60)
getPool(""):setCache(pc)

What struck me as really awesome, was that during the demo I was processing around 10000 queries per second through dnsdist. While this was going on, memory-usage did not exceed 30 Megabytes and (even with the recursors doing all the heavy lifting) my CPU was only used for 20% tops.