[dns-operations] question for DNS being attacked
Paul Vixie
paul at redbarn.org
Thu Jun 28 20:53:19 UTC 2012
On 6/28/2012 8:47 PM, Stephane Bortzmeyer wrote:
> On Thu, Jun 28, 2012 at 04:04:47AM +0000,
> Michael Hoskins (michoski) <michoski at cisco.com> wrote
> a message of 61 lines which said:
>
>> or even firewall based rate limiting like iptables or dummynet.
>>
>> http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
> ...
>
> I suggest using the hashlimit Netfilter module instead.
there is not enough information available upstream of the dns server, at
query receive time, to know whether or not to drop the query. you have
to know what the prospective response is, and drop that.
paul
More information about the dns-operations
mailing list