[dns-operations] solutions for DDoS mitigation of DNS

Davey Song songlinjian at gmail.com
Thu Apr 2 13:12:14 UTC 2020


On Thu, 2 Apr 2020 at 20:58, Tessa Plum <tessa at plum.ovh> wrote:

> On 2020/4/2 5:39 下午, Ray Bellis wrote:
> > If it's an authoritative server, turn on Response Rate Limiting (RRL) if
> > it's BIND, or the equivalent feature if is isn't.
>
> Yes they are authoritative servers.
> Does RRL work based on IP addr? but the requesting IP seems spoofed.
>
> Is the spoofed IPs randomly generated?

Considering your privacy concern , you can try the appoarch to increase the
bandwidth and harden the name server with cluster using OSPF ECMP (
https://archive.nanog.org/meetings/nanog34/presentations/abley.nameservers.pdf
)

Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200402/11d087cd/attachment.html>


More information about the dns-operations mailing list