[dns-operations] solutions for DDoS mitigation of DNS
paul at redbarn.org
Thu Apr 2 03:06:49 UTC 2020
On Thursday, 2 April 2020 02:14:14 UTC Tessa Plum wrote:
> May I ask if there are any solutions for DDoS mitigation of DNS?
> Both commercial or free solutions could be considered.
to keep your own authority servers from amplifying spoofed-source attacks, you
need response rate limiting, available in bind9, dnsdist, nsd, (any others?)
to keep your own recursive servers from amplifying spoofed-source attacks, you
need ACL's that make it unreachable outside your specific client base.
to keep your own servers of whatever kind from being ddos'd into congestion
loss, you need massive overprovisioning including both local and global
anycast. you may also need something like akamai's "clean feed" filtering.
More information about the dns-operations