[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Marco Davids (SIDN)
marco.davids at sidn.nl
Wed Jun 22 10:50:40 UTC 2011
On 06/22/11 11:43, Ray Bellis wrote:
>> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
> Not if you have working ip6tables at the same time.
But before you deploy that, make sure your host based firewall
understands IPv6 fragments.
OpenBSD pf still doesn't seem to support them:
Not sure how IPtables deals with them.
More information about the dns-operations