On Sat, 09 Jun 2012 13:51:00 +0200, jca+o...@wxcvbn.org (Jérémie Courrèges-Anglas) wrote: > Kostas Zorbadelos <kzo...@otenet.gr> writes: > >> Hello all, > > Hi > >> there is a need to restrict a specific type of DNS queries (ANY queries) >> in our nameservers. We faced a DDoS attack in our resolvers and the >> thing is that we could not simply cut access to DNS resolution to >> specific client IPs, the queries came from our own unsuspecting >> customers. > > So you run resolvers for your clients. I will assume you're an ISP. > In that case, you should be checking that the DNS queries that seem to > come from your clients *actually* come from your clients, not out of > nowhere, from spoofed IPs. This could be done very easily with PF, *if* > your current architecture allows it (if you have a way to distinguish > network flow coming from your clients from spoofed requests coming from > the Internet). Does it affect cashing name server only or the one with zones to i know its stupid question because the authoritative server have to be open for all to redistribute domain ( or not for example we do not want some regions to access our domain ?) >
> Of course, if you're not an ISP, then forget what I said. > >> The situation is similar but not the same as the one discribed here: >> >> https://isc.sans.edu/diary.html?storyid=13261 > > Indeed, that involves authoritative nameservers flooded with requests > that can come from anywhere. > > [...] > > -- > Jérémie Courrèges-Anglas > GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
