On 8/2/22 3:15 PM, Grant Taylor via bind-users wrote:
It looks like you're dealing with A queries for the root domain. I've blocked this, and similar queries, via iptables firewall in the past.
I've seen a number of responses to Robert's "Stopping ddos" thread discussing using firewalls (iptables) to /rate/ /limit/ queries.
I wanted to add an overarching comment that such /rate/ /limiting/ ultimately means that some amount of state must be maintained on systems. This is a potential vector for a denial of service if left unchecked.
So I'd like to clarify that I believe that it is better in some situations to /statelessly/ /drop/ traffic that has no reason for going to a server. E.g. a server that's only authoritative for 2nd level domains has no business responding to any form of queries for the root zone.
To whit I have the following rule in the PREROUTING chain of the raw table to filter out queries for the root zone.
iptables -t raw -A PREROUTING -i eth0 -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 40 --to 65535 -j DROP
Just a follow up / drive by comment. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users