[dns-operations] First experiments with DNS dampening to fight amplification attacks

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Oct 29 10:16:36 UTC 2012

On Mon, Oct 29, 2012 at 10:13:55AM +0000,
 Dobbins, Roland <rdobbins at arbor.net> wrote 
 a message of 20 lines which said:

> > We apply iptables based rate-limiting on ANY queries with RD bit set. 
> The problem with fronting your DNS servers with a stateful firewall 

? iptables != stateful firewalling. Some people are careless enough to
use iptables modules with connection tracking (very bad idea for the
DNS, for the reasons you explain) but others are more careful
(rate-limiting requires only a small amount of state).

More information about the dns-operations mailing list