On Thu, 28 Mar 2013 16:12:04 +0100 Volker Armin Hemmann <volkerar...@googlemail.com> wrote:
> > Hello, > > > > i am using pdns recursor to provide a dns server which should be > > usable for everybody.The problem is, that the server seems to be > > used in dns amplification attacks. > > I googled around on how to prevent this but did not really find > > something usefull. > > > > Does anyone got an idea about this? I haven't looked into it but. You could perhaps reduce the amplification by looking for trends that maximise response sizes such as the 100x amp against spamhaus of late, but you would be fighting against the wind and only buying time. Rate limiting may work but bear in mind that so many servers could be used that attacks maybe ongoing and you wouldn't notice, again you may be able to make attackers need to be subtler or go to more effort like for spam but you are not going to eradicate it. Really you would need some sort of network of dns servers communicating about who they are hurting as thankfully there is often a single victim, but really it would be better if the IETF had listened to the dangers and even now simply redesigned DNSSEC. As for tcp I used to have all my OpenBSD clients resolvers using the tcp option in resolv.conf but I haven't noticed another OS's resolver with that option. There are decent protections against syn floods but I assume you are wanting random clients to connect.
