Am 28.03.2013 16:38, schrieb Michael Mol: > On 03/28/2013 04:51 AM, Norman Rieß wrote: >> Hello, >> >> i am using pdns recursor to provide a dns server which should be usable >> for everybody.The problem is, that the server seems to be used in dns >> amplification attacks. >> I googled around on how to prevent this but did not really find >> something usefull. >> >> Does anyone got an idea about this? > > I'm not sure it can be done. You can't make a resolver available to > "everybody" without somebody in that "everybody" group abusing it, and > that's exacly what happens in a DNS amplification attack. > > Restrict your resolver to be accessible only to your network or, at > most, those of the specific group of people you're seeking to help. > > You *might* try restricting the resolver to only respond to TCP requests > rather than UDP requests, but if the resolver sends response data along > with that first SYN+ACK, then nothing is solved, and you've opened > yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver > went offline as a result of a SYN flood, at least it wouldn't be part of > an amplification attack any longer...) >
Thank you Michael!
