Subject: [dns-wg] protect DNS servers from dns amplification attacks Date: Sun, Aug 04, 2013 at 01:48:47PM +0200 Quoting Michael Hock (hook1988@gmail.com):
Hi there,
I need to set up a DNS server which is accessible from the whole internet. I have not chosen a DNS software yet, so maybe we could discuss about some, e.g. bind, dnsmasq, ...
My biggest concerns are dns amplification attacks, I don't want my server to be part of this. Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests?
Is it a resolver or a name server? A resolver open to the Internet probably is the wrong thing to do. Frankly, if you need to ask the questions above you likely haven't thought through your problem enough before coming to the conclusion that an open resolver is a desirable thing. For name servers, OTOH, the situation is different. Tony Finch pointed at Redbarn patches. They work for me. NSD does rate limiting as of recent releases. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 What I need is a MATURE RELATIONSHIP with a FLOPPY DISK ...