[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Erik Jan van Westen
dnslist at vanwesten.net
Wed Jun 22 16:35:23 UTC 2011
Op 22-6-2011 13:17, sthaug at nethelp.no schreef:
>>>> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
>>> Not if you have working ip6tables at the same time.
>> But before you deploy that, make sure your host based firewall
>> understands IPv6 fragments.
>> OpenBSD pf still doesn't seem to support them:
>> Not sure how IPtables deals with them.
> Samme problem with FreeBSD ipfw:
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Beware. Both replies are not OpenBSD pf in OpenBSD, but (probably) an
older version of pf in FreeBSD. Haven't tested it in current/stable
OpenBSD though. OTOH I have not seen any problems so far with OpenBSD
and IPv6 firewalling a dns server.
More information about the dns-operations