Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Thu, Apr 02, 2020 at 03:06:49AM +0000, > Paul Vixie <p...@redbarn.org> wrote > a message of 29 lines which said: > > > to keep your own recursive servers from amplifying spoofed-source > > attacks, you need ACL's that make it unreachable outside your > > specific client base. > > ACLs in the server are not enough, you also need ingress filtering on > the borders of your network, to prevent packets claiming to be from > your network to get inside.
That kind of ingress filtering protects you against DDoSing yourself, which maybe the rest of the Internet isn't too bothered about :-) You ALSO need ACLs on all the crappy consumer routers to stop their DNS forwarders from being used in an attack. And BCP38. Both of these are not as common as they should be :-( You can configure your authoritative servers to be less attrative for use in DDoS attacks: as well as RRL, configure minimal responses, minimal ANY, roll to DNSSEC algorithm 13 instead of RSA (all help to keep response sizes small), and set your UDP size limit to less than one MTU (to reduce packet count amplification). Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ no one shall be enslaved by poverty, ignorance, or conformity _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations