[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Bill Larson
wllarso at swcp.com
Wed Jun 22 17:45:34 UTC 2011
On Jun 22, 2011, at 10:35 AM, Erik Jan van Westen wrote:
> Op 22-6-2011 13:17, sthaug at nethelp.no schreef:
>>>>> iptables in front of any server, especially a DNS server, is a
>>>>> self-DoS waiting to happen.
>>>> Not if you have working ip6tables at the same time.
>>> But before you deploy that, make sure your host based firewall
>>> understands IPv6 fragments.
>>>
>>> OpenBSD pf still doesn't seem to support them:
>>>
>>> http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments
>>>
>>> Not sure how IPtables deals with them.
>> Samme problem with FreeBSD ipfw:
>>
>> <http://www.freebsd.org/cgi/query-pr.cgi?pr=145733>
There was a thread on the BIND-USERS list a while back about setting
up IPFW firewall rules for a DNS server. The subject was "Best ipfw
Rules for DNS-SEC". You might want to go back through the archives
and read these. Mark Andrews had some suggestions about IPv6
settings. Don't know if this addresses packet fragments.
Bill Larson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110622/d071276d/attachment.html>
More information about the dns-operations
mailing list