On Fri, Jul 13, 2012 at 10:26:55AM +0200, Dns Administrator <dnsadm...@gmail.com> wrote a message of 186 lines which said:
> Googling the issue I found that it was well known and had something > to do with dns amplification and denial of service. Yes. Already discussed a lot on this list and on dns-operations. > maybe the isc folks had implemented some sort of configuration > option which could control this You can do it outside of the name server, also. For instance, on Linux, if the QNAME is fixed, let's say 'bad.example': 1) Get <http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py> 2) Run it with the proper options: rule=$(python generate-netfilter-u32-dns-rule.py --qname bad.example --qtype ANY) 3) Use the output in a Netfilter rule: iptables -A INPUT -p udp --dport 53 --match u32 --u32 "$rule" -j RATELIMITER 4) Rate-limit: iptables -A RATELIMITER -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP > But as so rightly pointed out the scamps who engage in this sort of > foolishness would also be aware of this and change their scripts > accordingly My experience is that they don't do it immediately. Bad guys are human, not demi-gods. Most attacks have obvious optimisations they do not even use. A bad attitude in security is dismissing a partial and limited solution because "attackers will adapt" while the reality is that, even if they do, you'll have buy time. Typical example: email greylisting, which works very well for many years while several naysayers repeated "it's no good because the spammers will adapt". _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users