[dns-wg] protect DNS servers from dns amplification attacks

Subject: [dns-wg] protect DNS servers from dns amplification attacks Date: Sun, Aug 04, 2013 at 01:48:47PM +0200 Quoting Michael Hock (hook1988 at gmail.com):
> Hi there,
> 
> I need to set up a DNS server which is accessible from the whole internet.
> I have not chosen a DNS software yet, so maybe we could discuss about some,
> e.g. bind, dnsmasq, ...
> 
> My biggest concerns are dns amplification attacks, I don't want my server
> to be part of this.
> Is it already possible to protect DNS servers from spoofing attacks? Maybe
> just by rate-limiting the requests, without breaking legit requests?

Is it a resolver or a name server? 

A resolver open to the Internet probably is the wrong thing to
do. Frankly, if you need to ask the questions above you likely haven't
thought through your problem enough before coming to the conclusion that
an open resolver is a desirable thing.

For name servers, OTOH, the situation is different. 

Tony Finch pointed at Redbarn patches. They work for me. 

NSD does rate limiting as of recent releases. 

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
What I need is a MATURE RELATIONSHIP with a FLOPPY DISK ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: </ripe/mail/archives/dns-wg/attachments/20130807/4c5b6b18/attachment.sig>