[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

sthaug at nethelp.no sthaug at nethelp.no
Wed Jun 22 11:17:56 UTC 2011

> >> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
> > 
> > Not if you have working ip6tables at the same time.
> But before you deploy that, make sure your host based firewall
> understands IPv6 fragments.
> OpenBSD pf still doesn't seem to support them:
> http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments
> Not sure how IPtables deals with them.

Samme problem with FreeBSD ipfw:


Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the dns-operations mailing list