[dns-operations] DNS ANY requests from Amazon?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Dec 18 07:57:40 UTC 2012

On Mon, Dec 17, 2012 at 09:08:09PM +0000,
 Vernon Schryver <vjs at rhyolite.com> wrote 
 a message of 47 lines which said:

> Per-client rate limiting is generally the best that can be done with
> simple firewall rules or access control lists, but has limitations
> and can cause harm.  While rate limiting by client IP address stops
> a reflection attack, it also turns off almost all DNS service to the
> client from the server.

No one in his right mind limits simply by the client's IP
address. People typically also use the type of the request (today,
typically ANY). See my mini-HOWTO for Linux Netfilter in this thread.

More information about the dns-operations mailing list