On Mar 28, 2013 10:38 PM, "Michael Mol" <mike...@gmail.com> wrote: > > On 03/28/2013 04:51 AM, Norman Rieß wrote: > > Hello, > > > > i am using pdns recursor to provide a dns server which should be usable > > for everybody.The problem is, that the server seems to be used in dns > > amplification attacks. > > I googled around on how to prevent this but did not really find > > something usefull. > > > > Does anyone got an idea about this? > > I'm not sure it can be done. You can't make a resolver available to > "everybody" without somebody in that "everybody" group abusing it, and > that's exacly what happens in a DNS amplification attack. > > Restrict your resolver to be accessible only to your network or, at > most, those of the specific group of people you're seeking to help. > > You *might* try restricting the resolver to only respond to TCP requests > rather than UDP requests, but if the resolver sends response data along > with that first SYN+ACK, then nothing is solved, and you've opened > yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver > went offline as a result of a SYN flood, at least it wouldn't be part of > an amplification attack any longer...) >
Can't we rate limit UDP DNS request? E.g., limit each source IP to, let's say, 1 UDP per second? That should be doable easily using iptables. Rgds, --
