Hi,
Are you already using your DNS server's response rate limiting features?
Not yet, as I still believe I should stop as much as possible such traffic at
the firewall before it even reaches the network behind my firewall. So at the
software/daemon/service level it would be my last line of defense.
If your hardware is powerful enough (e.g. at least 10Gbps Ethernet and
the authoritative DNS server has let us say 32 CPU cores) you could also
try fending off the DoS attack simply by using NSD or Knot DNS instead
of BIND. According to my measurements, they both outperformed BIND by a
factor or 10.
If you are interested, you can find all the details in my open access
paper: G. Lencse, "Benchmarking Authoritative DNS Servers", /IEEE
Access/, vol. 8. pp. 130224-130238, July 2020.
https://doi.org/10.1109/ACCESS.2020.3009141
Best regards,
Gábor
