Recently someone started using my DNS server for a DNS amplification attack, forcing me to disable recursion for queries coming from outside my network. It works well enough, but I'm now sending a denied packet to the victim instead of a 4 kbyte TXT record, where I'd like to send nothing at all.
So I've been thinking about filtering malicious DNS packets before they ever get to the daemon. Maybe in IPtables, maybe at the router/firewall, and I've worked out a few basic deep scanning rules to drop recursion-desired packets from outside networks. Out of curiousity, has anyone come up with a better way to handle DNS amplification attacks? I saw one guy filtering based on what domain was being queried and maintaining a blacklist, but that would probably only help if you had to support recursion from outside networks. Grazie, ;-Daniel /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
