[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Erik Jan van Westen dnslist at vanwesten.net
Wed Jun 22 16:38:51 UTC 2011

Op 22-6-2011 12:50, Marco Davids (SIDN) schreef:
> On 06/22/11 11:43, Ray Bellis wrote:
>>> iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.
>> Not if you have working ip6tables at the same time.
> But before you deploy that, make sure your host based firewall
> understands IPv6 fragments.
> OpenBSD pf still doesn't seem to support them:
> http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments
> Not sure how IPtables deals with them.

Incorrect. You can only say that the FreeBSD version of OpenBSD's pf 
does not support. You cannot conclude from this article that OpenBSD pf 
does not support it.

More information about the dns-operations mailing list