Keith Mitchell <[email protected]> wrote: > > There are more effective mitigation measures available, in particular I > would strongly recommend you have a look at: > > http://www.redbarn.org/dns/ratelimits
If you are running an authoritative name server with DNSSEC zones then I recommend you install this patch. If you don't do DNSSEC you need to at least be aware of the attack and how to mitigate it in case they target you. You should also make sure authoritative servers send REFUSED responses to queries in zones that they do not host. Some servers send referrals to the root which can be nearly 900 bytes long. If you are running a recursive name server then you should make sure it ignores or rejects queries that do not come from your address ranges. > For more information on this problem, and DNS rate-limiting patches > which are available for BIND and Unbound. I don't think there is a rate limiting patch for Unbound - since it is recursive-only Unbound should be configured to ignore or reject reflection attack queries. Perhaps you are thinking of the NSD rate limiting patch: http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
