[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Phil Regnauld regnauld at nsrc.org
Wed Jun 22 08:18:53 UTC 2011

Stephane Bortzmeyer (bortzmeyer) writes:
> On Wed, Jun 22, 2011 at 09:06:29AM +0100,
>  Simon Munton <Simon.Munton at communitydns.net> wrote 
>  a message of 25 lines which said:
> > iptables --limit or --hashlimit ?
> Yes, rate-limiting outside of the name server seems reasonable.

	Assuming the target is a single IP, yes, otherwise you're creating
	more occasions for DoS.  Ideally you'd want to go inside the DNS
	query and look at repeated queries for the same name+type, possibly
	even the same query id.

More information about the dns-operations mailing list