Thus said Daniel Fussell on Fri, 17 Jan 2014 10:17:35 -0700: > Recently someone started using my DNS server for a DNS amplification > attack, forcing me to disable recursion for queries coming from > outside my network. It works well enough, but I'm now sending a denied > packet to the victim instead of a 4 kbyte TXT record, where I'd like > to send nothing at all.
When you solve your amplification problem (seems you've at least whittled it down some), it is also recommended to separate your iterative server from your recursive server: http://oreilly.com/catalog/dns4/chapter/ch11.html#10959 Specifically the section titled ``Split-Function Name Servers'' Andy -- TAI64 timestamp: 4000000052da36c2 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
