[dns-operations] question for DNS being attacked

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Jun 28 20:47:40 UTC 2012

On Thu, Jun 28, 2012 at 04:04:47AM +0000,
 Michael Hoskins (michoski) <michoski at cisco.com> wrote 
 a message of 61 lines which said:

> or even firewall based rate limiting like iptables or dummynet.
> http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html

Did you try this on a production DNS server? Because I see some
dangers in these rules, which do not seem well adapted to the DNS:

1) They use connection-tracking, which, for the DNS, mean one entry
per DNS request. This may exhaust the memory of the server.

2) They are per-IP-address which does not help if the attacker can use
many IP addresses (the problem is mostly for IPv6).

I suggest using the hashlimit Netfilter module instead.

More information about the dns-operations mailing list