[dnsdist] addAnyTCRule() explenation
Remi Gacogne
remi.gacogne+dnsdist at powerdns.com
Thu Feb 11 08:32:20 UTC 2016
Hi Federico,
On 02/11/2016 12:24 AM, Federico Olivieri wrote:
> However is not clear to me if I have and UDP ANY request (and in case of
> DDoS attack, more then one!) why I should reply back to use TCP. How
> can this mitigate a potential DDoS attack based on ANY queries?
It prevents you from being used as an amplification source for a DDOS
(if the source address is spoofed) because the answer is not larger than
the query, while letting legitimate clients retry over TCP and then
getting a valid response.
If you prefer so, you can drop all ANY queries with:
addAction(QTypeRule(dnsdist.ANY), DropAction())
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dnsdist
mailing list