[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Jun 22 10:50:40 UTC 2011

On 06/22/11 11:43, Ray Bellis wrote:

>> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
> Not if you have working ip6tables at the same time.

But before you deploy that, make sure your host based firewall
understands IPv6 fragments.

OpenBSD pf still doesn't seem to support them:


Not sure how IPtables deals with them.


More information about the dns-operations mailing list