Kostas Zorbadelos <kzo...@otenet.gr> writes: > Hello all,
Hi > there is a need to restrict a specific type of DNS queries (ANY queries) > in our nameservers. We faced a DDoS attack in our resolvers and the > thing is that we could not simply cut access to DNS resolution to > specific client IPs, the queries came from our own unsuspecting > customers. So you run resolvers for your clients. I will assume you're an ISP. In that case, you should be checking that the DNS queries that seem to come from your clients *actually* come from your clients, not out of nowhere, from spoofed IPs. This could be done very easily with PF, *if* your current architecture allows it (if you have a way to distinguish network flow coming from your clients from spoofed requests coming from the Internet). Of course, if you're not an ISP, then forget what I said. > The situation is similar but not the same as the one discribed here: > > https://isc.sans.edu/diary.html?storyid=13261 Indeed, that involves authoritative nameservers flooded with requests that can come from anywhere. [...] -- Jérémie Courrèges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
