[dns-operations] question for DNS being attacked

Michael Hoskins (michoski) michoski at cisco.com
Fri Jun 29 01:22:35 UTC 2012

for the record -- no, the blog post was just a general pointer since the
OP asked for iptables info on another list with the same topic...  before
trying anything on a production server that comes from a 'feeling lucky'
google or mailing list in general, i'd sincerely hope for testing. ;-)
since that article doesn't even mention DNS, i'd hoped it would encourage
reading of the man page vs. copy/paste.

sounds like RRL is one possible solution (i learned something, didn't know
this existed until now), and upstream cooperation is always best if you
can pull that off.

for those avoiding RRL until further testing and/or not able to get
upstream cooperation, other forms of rate limiting might be the only
option left...  for that i would generally look to a network device or
firewall rules on the name servers themselves.

since dummynet has proven to exhibit high FP rate on at least one root
server, some sort of sensible limit on ephemeral connections seems it
could work with enough experimentation.  unfortunately the exact mechanism
and thresholds would take time to work out, and won't help the OP now.

i'm watching RRL with interest.  as mentioned in the tech note, it's not
really needed on internal servers where preexisting / better understood
methods can keep clients under control.  externally i don't really need it
with the current infrastructure i manage, but it couldn't hurt.

hashlimit does seem commom,


again, good luck to the OP.  fairly obvious this isn't an easy fix.

-----Original Message-----

From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Date: Thursday, June 28, 2012 1:47 PM
To: Mike Hoskins <michoski at cisco.com>
Cc: pangj <pangj at riseup.net>, "dns-operations at lists.dns-oarc.net"
<dns-operations at lists.dns-oarc.net>
Subject: Re: question for DNS being attacked

>On Thu, Jun 28, 2012 at 04:04:47AM +0000,
> Michael Hoskins (michoski) <michoski at cisco.com> wrote
> a message of 61 lines which said:
>> or even firewall based rate limiting like iptables or dummynet.
>Did you try this on a production DNS server? Because I see some
>dangers in these rules, which do not seem well adapted to the DNS:
>1) They use connection-tracking, which, for the DNS, mean one entry
>per DNS request. This may exhaust the memory of the server.
>2) They are per-IP-address which does not help if the attacker can use
>many IP addresses (the problem is mostly for IPv6).
>I suggest using the hashlimit Netfilter module instead.

More information about the dns-operations mailing list