[dns-operations] solutions for DDoS mitigation of DNS

Tony Finch dot at dotat.at
Thu Apr 2 10:05:48 UTC 2020

Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Apr 02, 2020 at 03:06:49AM +0000,
>  Paul Vixie <paul at redbarn.org> wrote
>  a message of 29 lines which said:
> > to keep your own recursive servers from amplifying spoofed-source
> > attacks, you need ACL's that make it unreachable outside your
> > specific client base.
> ACLs in the server are not enough, you also need ingress filtering on
> the borders of your network, to prevent packets claiming to be from
> your network to get inside.

That kind of ingress filtering protects you against DDoSing yourself,
which maybe the rest of the Internet isn't too bothered about :-)

You ALSO need ACLs on all the crappy consumer routers to stop their DNS
forwarders from being used in an attack. And BCP38. Both of these are not
as common as they should be :-(

You can configure your authoritative servers to be less attrative for use
in DDoS attacks: as well as RRL, configure minimal responses, minimal ANY,
roll to DNSSEC algorithm 13 instead of RSA (all help to keep response
sizes small), and set your UDP size limit to less than one MTU (to reduce
packet count amplification).

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
no one shall be enslaved by poverty, ignorance, or conformity

More information about the dns-operations mailing list