[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
wllarso at swcp.com
Wed Jun 22 17:45:34 UTC 2011
On Jun 22, 2011, at 10:35 AM, Erik Jan van Westen wrote:
> Op 22-6-2011 13:17, sthaug at nethelp.no schreef:
>>>>> iptables in front of any server, especially a DNS server, is a
>>>>> self-DoS waiting to happen.
>>>> Not if you have working ip6tables at the same time.
>>> But before you deploy that, make sure your host based firewall
>>> understands IPv6 fragments.
>>> OpenBSD pf still doesn't seem to support them:
>>> Not sure how IPtables deals with them.
>> Samme problem with FreeBSD ipfw:
There was a thread on the BIND-USERS list a while back about setting
up IPFW firewall rules for a DNS server. The subject was "Best ipfw
Rules for DNS-SEC". You might want to go back through the archives
and read these. Mark Andrews had some suggestions about IPv6
settings. Don't know if this addresses packet fragments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations