How to handle crazy amount of dropped requests

[narduin]

Hello!

I've started using technitium last week with a cluster of 2 servers. Everything runs fine, I'm hosting a couple domains and configured dot, doh, quic, etc. I've installed the "Drop Requests" app and set lower rate limiting settings.

I have not configured ACL because I'm using it on my phone and the IP changes regularly (same when I'm not at home with my laptop). For a few days now,

I'm getting between 7000/8000 dropped requests per minute… Technitium handles that perfectly it's pretty incredible.
I would like to know if I can do anything to get rid of this crazy amount of requests that are clearly some kind of attack (found a reddit thread about a similar situation).
I tried using the system firewall but there are too many IP addresses used.

Is my only option setting ACL and a VPN to get fixed IPs?
Is there any risk to let all those dropped request coming or can I just ignore them?
Should I try to geo-block IPs not from my location?

Thanks a lot!

[ShreyasZare]

Thanks for asking. What you see is DNS amplification attack in progress. These are sadly very common and there is nothing much you can do about them. The only mitigation is to have query rate limiting configured and keep regular watch on the DNS server dashboard to detect any new attack. Once you see a new attack and if it uses a specific domain and type, you can then use the Drop Requests app and add that domain name and type that must be dropped.

Blocking IP address is something that is not feasible since these IP addresses keep varying and are of the victims of the attack. So using the Drop Requests app is enough to mitigate these attacks. These go away after a few days or a couple of weeks so you just need to drop and ignore them.

Geo blocking may cause issues since these geo IP databases are not always accurate and it may end up blocking your IP address if that gets detected outside of the geo blocked region.

[narduin]

Thank you for the quick reply!
I have no idea which domain is used as everything gets dropped. Are there logs for the drop app ?
I used ntopng to identify the malicious request IPs but there are so many 🥲

[ShreyasZare]

You're welcome. If the requests are getting dropped due to rate limiting then you should see some data in the top domains on the dashboard to give clues on what domain is being queried frequently. You can also enable query logging in Settings > Logging section and then keep a watch on the log files to see what domain name is being queried frequently. Don't bother with the IP addresses, they will be many of them plus these are the victim's IP addresses not that of the attacker's.