No this is not possible. UDP is trivially spoofed (which is probably why
you see the problem in the first place; the source IPs you see on the
packets are the *victims* not the attacker). Doing this for UDP opens an
easy DoS of your legitimate clients.
--
Sent from a phone, apologies for poor formatting.
On 7 May 2021 09:54:58 Axel Rau <axel....@chaos1.de> wrote:
Am 05.05.2021 um 16:20 schrieb Stuart Henderson <s...@spacehopper.org>:
This is usually best dealt with in your DNS server software e.g. by using
the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
section in BIND.
Yes, I have this in place now, but I try to let the fw drop them:
This seems not working:
udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload
<bruteforce> flush global )'
…
pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound"
Is this not possible with udp?
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
