[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Erik Jan van Westen dnslist at vanwesten.net
Wed Jun 22 16:35:23 UTC 2011


Op 22-6-2011 13:17, sthaug at nethelp.no schreef:
>>>> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
>>> Not if you have working ip6tables at the same time.
>> But before you deploy that, make sure your host based firewall
>> understands IPv6 fragments.
>>
>> OpenBSD pf still doesn't seem to support them:
>>
>> http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments
>>
>> Not sure how IPtables deals with them.
> Samme problem with FreeBSD ipfw:
>
>        <http://www.freebsd.org/cgi/query-pr.cgi?pr=145733>
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Beware. Both replies are not OpenBSD pf in OpenBSD, but (probably) an 
older version of pf in FreeBSD. Haven't tested it in current/stable 
OpenBSD though. OTOH I have not seen any problems so far with OpenBSD 
and IPv6 firewalling a dns server.

Erik



More information about the dns-operations mailing list