[dns-operations] question for DNS being attacked
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Jun 28 20:47:40 UTC 2012
On Thu, Jun 28, 2012 at 04:04:47AM +0000,
Michael Hoskins (michoski) <michoski at cisco.com> wrote
a message of 61 lines which said:
> or even firewall based rate limiting like iptables or dummynet.
>
> http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
Did you try this on a production DNS server? Because I see some
dangers in these rules, which do not seem well adapted to the DNS:
1) They use connection-tracking, which, for the DNS, mean one entry
per DNS request. This may exhaust the memory of the server.
2) They are per-IP-address which does not help if the attacker can use
many IP addresses (the problem is mostly for IPv6).
I suggest using the hashlimit Netfilter module instead.
More information about the dns-operations
mailing list