That's very selective cutting of my sentence Klaus.... > On 2 Apr 2020, at 13:09, Klaus Darilion <[email protected] > <mailto:[email protected]>> wrote: > > Am 02.04.2020 um 09:15 schrieb Frank Louwers: >> dnsdist allows you to do general ratelimiting/blocking > > Ratelimiting is often not the correct choice. > > If the source IP is random (which is usually the case with spoofed source IP > addresses), a rate limiting based on source IP is not useful. > > If the query-name is random (which is usually the case with spoofed source IP > addresses), a rate limiting based on qname is not useful. > > If the qname is always the same, or at least within the same zone, you could > do rate limiting for that zone, but this limits all queries, attack queries > and legitim queries. Hence, you create a DoS for that zone, but at least > avoid collateral damage to other zones hosted on that name server. > > So my advice: use a name server which can fill your upstream bandwith (NSD, > Knot ...). And for volumetric attacks use a commercial DDoS mitigation > provider which filters your traffic (ie. buy the service from your ISP or > from a remote DDoS mitigation provider which announces your prefixes on > demand.) > > regards > Klaus > > _______________________________________________ > dns-operations mailing list > [email protected] <mailto:[email protected]> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
