We have deployed a comprehensive security overhaul to protect our DNS infrastructure against volumetric attacks and abuse. The new system operates at the kernel level using nftables with optimized rulesets, providing wire-speed packet filtering before traffic reaches our application layer.
Key Components:
• Kernel-Level Rate Limiting: 50 queries/second per IP with intelligent meter timeouts that auto-expire entries, preventing memory exhaustion during attacks.
• dns-bot-guard v2.1: Our custom threat detection system monitors query patterns in real-time, automatically blocking /24 ranges when botnets are detected.
• Automated Blocklists: Daily updates from FireHOL (Level 1 & 2) and Spamhaus DROP/EDROP, providing 4,600+ pre-emptive IP range blocks.
• Protocol Coverage: Protection applies uniformly to DoH (443), DoT (853), DoQ (853/UDP), and standard DNS (53).
The system successfully mitigated multiple botnet attacks during testing, automatically identifying and blocking malicious /16 ranges within minutes.
Major infrastructure hardening with kernel-level nftables firewall, intelligent bot detection, automated threat blocklists, and multi-layer rate limiting across all DNS protocols.
Highlights
- nftables kernel-level firewall with 50 qps rate limiting
- dns-bot-guard v2.1 with Redis caching & auto-range blocking
- FireHOL + Spamhaus blocklists (4,600+ malicious ranges)
- Automated weekly maintenance & log rotation
- nginx upstream connection pooling for DoH
- QUIC retry tokens enabled for HTTP/3 DDoS mitigation