Other possibility is to implement packet rate limiting - a patch was discussed here a few days/weeks ago.
I endorse this suggestion: we were faced with such attacks and were naturally leery about issues we might run into running a patched bind and the additional tuning it could require. Our experience is: the RRL patch, used with its default parameters, simply does the job. John Cornell University IT _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
