[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Marco Davids (SIDN)
marco.davids at sidn.nl
Wed Jun 22 10:50:40 UTC 2011
On 06/22/11 11:43, Ray Bellis wrote:
>> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
>
> Not if you have working ip6tables at the same time.
But before you deploy that, make sure your host based firewall
understands IPv6 fragments.
OpenBSD pf still doesn't seem to support them:
http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments
Not sure how IPtables deals with them.
--
Marco
More information about the dns-operations
mailing list