Server pools

dnsdist has the concept to “server pools”, any number of servers can belong to a group.

Let’s say we know we’re getting a whole bunch of traffic for a domain used in DoS attacks, for example ‘example.com’. We can do two things with this kind of traffic. Either we block it outright, like this:

addAction("bad-domain.example.", dropAction())

Or we configure a server pool dedicated to receiving the nasty stuff:

newServer({address="192.0.2.3", pool="abuse"})         -- Add a backend server with address 192.0.2.3 and assign it to the "abuse" pool
addAction({'bad-domain1.example', 'bad-domain2.example.'}, PoolAction("abuse")) -- Send all queries for "bad-domain1.example." and "bad-domain2.example" to the "abuse" pool

The wonderful thing about this last solution is that it can also be used for things where a domain might possibly be legit, but it is still causing load on the system and slowing down the internet for everyone. With such an abuse server, ‘bad traffic’ still gets a chance of an answer, but without impacting the rest of the world (too much).

We can similarly add clients to the abuse server:

addPoolRule({"192.168.12.0/24", "192.168.13.14"}, "abuse")

To define a pool that should receive only a QPS-limited amount of traffic, do:

addQPSPoolRule("com.", 10000, "gtld-cluster")

Traffic exceeding the QPS limit will not match that rule, and subsequent rules will apply normally.

Both addDomainBlock() and addPoolRule end up the list of Rules and Actions (for which see below).

Servers can be added to or removed from pools with the Server:addPool() and Server:rmPool() functions respectively:

getServer(4):addPool("abuse")
getServer(4):rmPool("abuse")