Skip to content

Synchronization of dynamic rules between instances

Defender can automatically synchronize dynamic rules generated by an instance in response to an attack to all DNSdist instances in a cluster, making sure that all instances quickly learn that a given client is misbehaving or that a domain is under attack.

This feature requires DNSdist >= 1.9.8 and the presence of a NATS server. NATS is an secure, high performance and open-source messaging system. It supports clustering to provide high-availability.

Once the NATS server has been set up, at least one DNSdist instance must be configured to publish the dynamic rules it generates to the NATS bus:

---
- type: nats-servers
  servers:
    main:
       host: "192.0.2.1"
       tls: true
       username: foo
       password: bar
       tls_ca_path: "path/to/ca/certificates/"
       tls_certificate: "path/to/certificate.crt"
       tls_key "path/to/key.pem"
- type: query-rate
  rate: 200
  seconds: 10
  comment: "Query rate exceeded"
  action: refused
  action_duration: 60
- type: prsd
  failures:
    - "nxdomain"
    - "servfail"
    - "timeout"
    - "other-rcodes"
  maximum_queries_per_child_ratio: 2
  maximum_cache_hit_ratio: 0.2
  minimum_failure_ratio: 0.8
  minimum_number_of_children: 50
  minimum_number_of_labels: 2
  minimum_number_of_qps: 100
  include_queries_to_domain: true
  action: refused
  window: 60
  action_duration: 60
  comment: "Pseudo-Random Subdomain Attack"
- type: dynamic-rules-sync
  server: main
  publish: true
  publish_suffixes: true
  publish_netmasks: true
  consume: true

-- create a new defender sync object, using the configuration
-- from defender-dynblock-publisher.yml
local defender = defender:new('defender-dynblock-publisher.yml')

-- register the defender object, it will register itself in
-- the necessary dnsdist hooks
defender:setup()

Other DNSdist instances that should be synchronized will have to be configured to do so:

---
---
- type: nats-servers
  servers:
    main:
       host: "192.0.2.1"
- type: dynamic-rules-sync
  server: main
  publish: false
  consume: true

local defender = defender:new('defender-dynblock-consumer.yml')
defenderSync:setup()

Note that in this example the first DNSdist is instance both publishing its own dynamic rules and consuming the ones exported by other instances, while the second instance is only consuming rules. Other options are possible, including having every instance publishing its own dynamic rules and consuming the ones exported by others.

Please refer to the dynamic rules sync settings reference for the complete description of the settings.