[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Bill Larson wllarso at swcp.com
Wed Jun 22 17:45:34 UTC 2011


On Jun 22, 2011, at 10:35 AM, Erik Jan van Westen wrote:

> Op 22-6-2011 13:17, sthaug at nethelp.no schreef:
>>>>> iptables in front of any server, especially a DNS server, is a  
>>>>> self-DoS waiting to happen.
>>>> Not if you have working ip6tables at the same time.
>>> But before you deploy that, make sure your host based firewall
>>> understands IPv6 fragments.
>>>
>>> OpenBSD pf still doesn't seem to support them:
>>>
>>> http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments
>>>
>>> Not sure how IPtables deals with them.
>> Samme problem with FreeBSD ipfw:
>>
>>       <http://www.freebsd.org/cgi/query-pr.cgi?pr=145733>

There was a thread on the BIND-USERS list a while back about setting  
up IPFW firewall rules for a DNS server.  The subject was "Best ipfw  
Rules for DNS-SEC".  You might want to go back through the archives  
and read these.  Mark Andrews had some suggestions about IPv6  
settings.  Don't know if this addresses packet fragments.

Bill Larson

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110622/d071276d/attachment.html>


More information about the dns-operations mailing list