[dns-operations] solutions for DDoS mitigation of DNS

Paul Vixie paul at redbarn.org
Thu Apr 2 03:06:49 UTC 2020


On Thursday, 2 April 2020 02:14:14 UTC Tessa Plum wrote:
> Hello
> 
> May I ask if there are any solutions for DDoS mitigation of DNS?
> Both commercial or free solutions could be considered.
> 
> Thanks.
> 
> Tessa
> https://plum.ovh/

to keep your own authority servers from amplifying spoofed-source attacks, you 
need response rate limiting, available in bind9, dnsdist, nsd, (any others?)

to keep your own recursive servers from amplifying spoofed-source attacks, you 
need ACL's that make it unreachable outside your specific client base.

to keep your own servers of whatever kind from being ddos'd into congestion 
loss, you need massive overprovisioning including both local and global 
anycast. you may also need something like akamai's "clean feed" filtering.

-- 
Paul




More information about the dns-operations mailing list