------- Original Message -------
On Wednesday, July 19th, 2023 at 12:40 PM, Stuart Henderson 
<stu.li...@spacehopper.org> wrote:

> I don't think you understood what I wrote then - they are the
> opposite of helpful here.

No, I do understand what you wrote but I should have explained my case in more 
details. Behind my OpenBSD firewall I have two authoritative DNS servers and 
because of recent DDoS originating from >12k IPs against UDP port 53 on these 
two servers the whole network behind the firewall gets unresponsive or has a 
high packet loss because there is over 2 million states in the PF states table 
during the attack. So in my specific case I don't care that cloudflare or other 
external DNS servers can not query my DNS authoritative servers for a few 
seconds or minutes but I do care a lot that my whole rest of my network and 
servers behind the OpenBSD firewall stays responsive. It's a trade-off I can 
totally accept and welcome. Furthermore when I have so many state entries due 
to a DDoS on UDP port 53, CARP breaks as well as the OSPF sessions with my 
border routers because it can not communicate properly within the defined 

Reply via email to