[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
regnauld at nsrc.org
Wed Jun 22 08:18:53 UTC 2011
Stephane Bortzmeyer (bortzmeyer) writes:
> On Wed, Jun 22, 2011 at 09:06:29AM +0100,
> Simon Munton <Simon.Munton at communitydns.net> wrote
> a message of 25 lines which said:
> > iptables --limit or --hashlimit ?
> Yes, rate-limiting outside of the name server seems reasonable.
Assuming the target is a single IP, yes, otherwise you're creating
more occasions for DoS. Ideally you'd want to go inside the DNS
query and look at repeated queries for the same name+type, possibly
even the same query id.
More information about the dns-operations