[dns-operations] solutions for DDoS mitigation of DNS

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Apr 2 07:03:18 UTC 2020

On Thu, Apr 02, 2020 at 03:06:49AM +0000,
 Paul Vixie <paul at redbarn.org> wrote 
 a message of 29 lines which said:

> to keep your own recursive servers from amplifying spoofed-source
> attacks, you need ACL's that make it unreachable outside your
> specific client base.

ACLs in the server are not enough, you also need ingress filtering on
the borders of your network, to prevent packets claiming to be from
your network to get inside.

> to keep your own servers of whatever kind from being ddos'd into
> congestion loss, you need massive overprovisioning including both
> local and global anycast.

If the congestion is on the link, yes, you are right. If it is on the
server, filtering solutions may be sufficient if there is an easy way
to sort out the bad traffic from the good one, and if they are faster
than the name server (Netfilter on Linux is fast, for instance.)

More information about the dns-operations mailing list