Berlin Adminstammtisch Presentation on DNSdist

On November 3rd I did an introductionary presentation on dnsdist during the monthly Adminstammtisch in Berlin. The presentation was entitled “dnsdist: the high-performant, DoS and abuse-aware DNS loadbalancer”. Here are the slides.

For those who don’t know, dnsdist is a DNS firewall/loadbalancer that is fully configured in Lua and provides (among many things) live DNS traffic inspection without slowing down the server. It also has a minimal memory-footprint.

In true daredevil fashion, there was a live-demo involved. Below I’ve reproduced the dnsdist config:

controlSocket('') -- for the console
setKey('MXNeLFWHUe4363BBKrY06cAsH8NWNb+Se2eXU5+Bb74=') -- for crypto
webserver("", "geheim2") -- Enable the webserver for live-graphs and overview
carbonServer('', 'lieter-demo', 10) -- Send stats to the public PowerDNS metronome (

-- Add 11 listen sockets so we can have multiple clients connecting
for x in pairs({1,2,3,4,5,6,7,8,9,10}) do
  addLocal('10.0.0.' .. x .. ':5300')

-- Default pool with 3 recursors
newServer({address='', name='backend1'})
newServer({address='', name='backend2'})
newServer({address='', name='backend3'})

-- One abuse recursor
newServer({address='', name='backend4', pool='abuse'})

function maintenance()
  addresses=exceedQTypeRate(dnsdist.TLSA, 2, 10) -- Get all addresses that asked for more than 2TLSA records in the last 10 seconds
  addDynBlocks(addresses,"Exceeded TLSA",60) -- Block them for 60 seconds

And here are some of the commands entered into the dnsdist console:

-- Block all .ru domains

-- Create a netmaskgroup and add a single address to it
nmg = newNMG()

-- Match on the netmaskgroup and QTYPE AAAA
selector = AndRule({NetmaskGroupRule(nmg), QTypeRule(dnsdist.AAAA)})

-- Delay these queries by 1500 millisecond
addAction(selector, DelayAction(1500))

-- Allow a maximum of 3 queries per second to
addQPSLimit('', 3)

-- Sens add traffic for (and everything below it) to the abue pool
addPoolRule({''}, 'abuse')

-- Add a packet cache of 10000 entries to the default pool
pc = newPacketCache(10000, 86400, 0, 60, 60)

What struck me as really awesome, was that during the demo I was processing around 10000 queries per second through dnsdist. While this was going on, memory-usage did not exceed 30 Megabytes and (even with the recursors doing all the heavy lifting) my CPU was only used for 20% tops.

340 Words

2016-11-04 09:47 +0100