Also, at that time DNS-based DDoS attacks were really common. And running your own DNS servers could quickly become hard as they are often the targets of attacks.
DDoS protections are quite expensive, and if you don’t have any protection systems or enough monitoring and logging solutions to automatically implement rate-limiting or IP ban with tools such as dnsdist or Crowdsec (yes fail2ban is officially dead), you may quickly run into some problems…
That’s one of the reason we decided to host these PowerDNS servers outside of our network within a public cloud provider with DDoS protection.
Later on, a dnsdist instance was setup on top of the PowerDNS to rate-limit and avoid too many problems, it proved effective. A lot believe me.
Here’s a sample dnsdist configuration that we used:
-- tuning
setMaxUDPOutstanding(65000)
controlSocket('127.0.0.1:5199')
setKey("sup3rm4g4s3cur3k3y")
-- we should create as much addLocal() as we have CPU for intense workloads
addLocal('<our_public_ip>:53', {doTCP=true, reusePort=true})
-- allow all to recurse us
setACL("0.0.0.0/0")
newServer{address="<pdns_1_ip>", qps=10000, name="pdns-1", useClientSubnet=true, checkType="A", checkName="www.numberly.com.", mustResolve=true}
newServer{address="<pdns_2_ip>", qps=10000, name="pdns-2", useClientSubnet=true, checkType="A", checkName="www.numberly.com.", mustResolve=true}
setServerPolicy(roundrobin)
-- Drop ANY queries
addAction(QTypeRule(dnsdist.ANY), DropAction())
-- Apply Rate Limit for NXDomain and ServFail queries
local dbr = dynBlockRulesGroup()
dbr:setRCodeRate(dnsdist.NXDOMAIN, 5, 10, "Exceeded NXD rate", 60, DNSAction.Drop)
dbr:setRCodeRate(dnsdist.SERVFAIL, 5, 10, "Exceeded ServFail rate", 60, DNSAction.Drop)
dbr:excludeRange({"127.0.0.1/32", "10.0.0.0/8" })
function maintenance()
dbr:apply()
end
A few years later, with the growing usage of Kubernetes at Numberly, we had to connect Kubernetes with PowerDNS in order to let our developers expose their web applications directly from their Kubernetes ingress configuration.
But one of the cons of the PowerDNS API is that it’s not multi-tenant, PowerDNS gives you a unique API key.