Some customer hosts become compromised and are used to send SPAM, which in turn sends thousands of DNS requests per minute to your name server as they seek their recipients mail server addresses. Other customer hosts are configured to resolve their web server's log file or their mail server to perform envelope verification, which results in bursts of DNS requests. The end result of these situations and others is that often your public name server becomes over worked and is unable to reliably answer DNS requests for other non-abusive hosts.
There are many solutions to these types of issues, such as throwing more servers at it or buying specialized hardware solutions or firewalls that help to protect against abusive traffic. Another solution, if you're running your name server on a Linux system with nftables, is PHREL.
PHREL is a Per Host RatE Limiter written in C to efficiently track the rate of incoming traffic on a per host basis and insert rules into a dedicated nftables table when a configured threshold is crossed. The inserted rules may either rate limit or completely block the offending host for a period of time and will be automatically removed when the offending host's traffic levels return to normal. PHREL can be used with any type of traffic, but it is particularly well suited to protecting name servers from random hosts that flood DNS requests and preventing SSH brute force login attempts.
To use PHREL to protect your name server, install it directly on your name server by following the included install instructions. Visit the PHREL website to download a copy of the software.
Once PHREL is installed, it can be configured to accept its thresholds and other settings either via the command line or the default configuration file at /etc/phrel/phreld.conf. For the purposes of this article, we'll stick with the command line.
Since we're protecting a name server, we'll need to tell phreld (the PHREL daemon), to track incoming traffic on UDP port 53 (DNS) and specify what behavior we'd like for each threshold. The command below instructs phreld to use a threshold of 50 PPS (packets per second) with traffic being rate limited to 25 PPS if that threshold is crossed. Additionally, a threshold of 150 PPS is configured with traffic being completely blocked if a host reaches that traffic level.
> /usr/sbin/phreld -P udp -p 53 -T50:25 -T150:0
If you have hosts that you'd like PHREL to not block or enforce rate limiting against, that can be accomplished by using the -X (exclude) option. Also of note, the IP address of the host on which phreld is run is automatically excluded. For example, if you'd like to exclude servers within 39.250.66.0/24 and the host 23.120.42.2, modify the command line above like so.
> /usr/sbin/phreld -P udp -p 53 -T50:25 -T150:0 -X 39.250.66.0/24 -X 23.120.42.2
The same thresholds can be expressed in the configuration file using the v2.0+ brace-block syntax:
phrel {
protocol udp;
port 53;
threshold pps 50 rate 25;
threshold pps 150 rate 0;
exclude [ 39.250.66.0/24 23.120.42.2 ];
}
When phreld is started with no command-line options, it reads /etc/phrel/phreld.conf automatically.
If you operate multiple name servers behind a load balancer, PHREL can synchronize per-host statistics across instances using Redis. See phreld.conf(5) for the redis { } block and related options.
As PHREL takes action against abusive hosts, it will log everything it does to syslog.
There are many more options available to customize how PHREL operates. See the man page for the available options. Questions and bug reports may be sent to sella@digitalgenesis.com.