[dns-operations] solutions for DDoS mitigation of DNS
Ray Bellis
ray at isc.org
Thu Apr 2 09:39:56 UTC 2020
On 02/04/2020 10:12, Tessa Plum wrote:
> All the packages were DNS requests, some queries like 'dig domain.com any'.
> but their IP address seems spoofed.
> A request from the fake address to our nameserver, but nameserver try
> its best to reply to this unreal address.
If it's a recursive server, apply an ACL so that only expected clients
can query.
If it's an authoritative server, turn on Response Rate Limiting (RRL) if
it's BIND, or the equivalent feature if is isn't.
Ray
More information about the dns-operations
mailing list