------- Original Message ------- On Wednesday, July 19th, 2023 at 12:40 PM, Stuart Henderson <stu.li...@spacehopper.org> wrote:
> I don't think you understood what I wrote then - they are the > opposite of helpful here. No, I do understand what you wrote but I should have explained my case in more details. Behind my OpenBSD firewall I have two authoritative DNS servers and because of recent DDoS originating from >12k IPs against UDP port 53 on these two servers the whole network behind the firewall gets unresponsive or has a high packet loss because there is over 2 million states in the PF states table during the attack. So in my specific case I don't care that cloudflare or other external DNS servers can not query my DNS authoritative servers for a few seconds or minutes but I do care a lot that my whole rest of my network and servers behind the OpenBSD firewall stays responsive. It's a trade-off I can totally accept and welcome. Furthermore when I have so many state entries due to a DDoS on UDP port 53, CARP breaks as well as the OSPF sessions with my border routers because it can not communicate properly within the defined timeouts.