On Thu, Apr 02, 2020 at 03:06:49AM +0000, Paul Vixie <p...@redbarn.org> wrote a message of 29 lines which said:
> to keep your own recursive servers from amplifying spoofed-source > attacks, you need ACL's that make it unreachable outside your > specific client base. ACLs in the server are not enough, you also need ingress filtering on the borders of your network, to prevent packets claiming to be from your network to get inside. > to keep your own servers of whatever kind from being ddos'd into > congestion loss, you need massive overprovisioning including both > local and global anycast. If the congestion is on the link, yes, you are right. If it is on the server, filtering solutions may be sufficient if there is an easy way to sort out the bad traffic from the good one, and if they are faster than the name server (Netfilter on Linux is fast, for instance.) _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations