[dns-operations] First experiments with DNS dampening to fight amplification attacks

Dobbins, Roland rdobbins at arbor.net
Mon Oct 29 10:13:55 UTC 2012

On Oct 29, 2012, at 4:28 PM, Klaus Darilion wrote:

> We apply iptables based rate-limiting on ANY queries with RD bit set. 

The problem with fronting your DNS servers with a stateful firewall is that it makes it susceptible to trivial state-exhaustion attacks.  This is not a good idea.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list