[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
sthaug at nethelp.no
sthaug at nethelp.no
Wed Jun 22 11:17:56 UTC 2011
> >> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
> >
> > Not if you have working ip6tables at the same time.
>
> But before you deploy that, make sure your host based firewall
> understands IPv6 fragments.
>
> OpenBSD pf still doesn't seem to support them:
>
> http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments
>
> Not sure how IPtables deals with them.
Samme problem with FreeBSD ipfw:
<http://www.freebsd.org/cgi/query-pr.cgi?pr=145733>
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the dns-operations
mailing list