[dns-operations] solutions for DDoS mitigation of DNS
ray at isc.org
Thu Apr 2 09:39:56 UTC 2020
On 02/04/2020 10:12, Tessa Plum wrote:
> All the packages were DNS requests, some queries like 'dig domain.com any'.
> but their IP address seems spoofed.
> A request from the fake address to our nameserver, but nameserver try
> its best to reply to this unreal address.
If it's a recursive server, apply an ACL so that only expected clients
If it's an authoritative server, turn on Response Rate Limiting (RRL) if
it's BIND, or the equivalent feature if is isn't.
More information about the dns-operations