[dns-operations] First experiments with DNS dampening to fight amplification attacks
Joe Abley
jabley at hopcount.ca
Mon Oct 29 17:54:41 UTC 2012
On 2012-10-29, at 06:16, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Mon, Oct 29, 2012 at 10:13:55AM +0000,
> Dobbins, Roland <rdobbins at arbor.net> wrote
> a message of 20 lines which said:
>
>>> We apply iptables based rate-limiting on ANY queries with RD bit set.
>>
>> The problem with fronting your DNS servers with a stateful firewall
>
> ? iptables != stateful firewalling.
no, rate-limiting == stateful firewalling.
(I appreciate that there are techniques available to keep the state manageable, but state is required to rate-limit and retaining state in front of DNS servers in general ought indeed to prompt some careful thinking before implementation.)
Joe
More information about the dns-operations
mailing list