[dns-operations] First experiments with DNS dampening to fight amplification attacks

Joe Abley jabley at hopcount.ca
Mon Oct 29 17:54:41 UTC 2012

On 2012-10-29, at 06:16, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Mon, Oct 29, 2012 at 10:13:55AM +0000,
> Dobbins, Roland <rdobbins at arbor.net> wrote 
> a message of 20 lines which said:
>>> We apply iptables based rate-limiting on ANY queries with RD bit set. 
>> The problem with fronting your DNS servers with a stateful firewall 
> ? iptables != stateful firewalling.

no, rate-limiting == stateful firewalling.

(I appreciate that there are techniques available to keep the state manageable, but state is required to rate-limit and retaining state in front of DNS servers in general ought indeed to prompt some careful thinking before implementation.)


More information about the dns-operations mailing list