On 01.07.13 04:02, blrmaani wrote:
We are noticing that a handful of our domains are being used for
amplification attacks and we would like to reduce outgoing (DNS response)
packet size.
One solution is to reduce the additional sections in the response for these
handful zones and I would like to know if there is any way to add
something similar to "additional-from-auth no" per zone basis and achieve
It would be much better if you presented your problem in the beginning, not
just tell us what you want to do.
In this case you should set "minimal-responses yes" globally, otherwise all
your other domains can get used for such attacks too.
Do you have separate servers for resolving and for domains?
Resolving servers could send all possible info to your own clients, while
authoritative servers would provide as low informations as needed.
Other possibility is to implement packet rate limiting - a patch was
discussed here a few days/weeks ago.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
