[dns-operations] solutions for DDoS mitigation of DNS

Ray Bellis ray at isc.org
Thu Apr 2 09:39:56 UTC 2020



On 02/04/2020 10:12, Tessa Plum wrote:

> All the packages were DNS requests, some queries like 'dig domain.com any'.
> but their IP address seems spoofed.
> A request from the fake address to our nameserver, but nameserver try
> its best to reply to this unreal address.

If it's a recursive server, apply an ACL so that only expected clients
can query.

If it's an authoritative server, turn on Response Rate Limiting (RRL) if
it's BIND, or the equivalent feature if is isn't.

Ray



More information about the dns-operations mailing list