[dnsdist] addAnyTCRule() explenation
Federico Olivieri
lvrfrc87 at gmail.com
Thu Feb 11 15:45:17 UTC 2016
Thanks for your reply Remi,
Basically, when the server receives a spoofed DNS query, it truncates the
UDP packet and it forces the source address to use TCP. The source address
when receives the request from server to move in TCP it ignore the request
because it didn't originally send the (spoofed) request.
Is it right?
Thanks
2016-02-11 8:32 GMT+00:00 Remi Gacogne <remi.gacogne+dnsdist at powerdns.com>:
>
> Hi Federico,
>
> On 02/11/2016 12:24 AM, Federico Olivieri wrote:
> > However is not clear to me if I have and UDP ANY request (and in case of
> > DDoS attack, more then one!) why I should reply back to use TCP. How
> > can this mitigate a potential DDoS attack based on ANY queries?
>
> It prevents you from being used as an amplification source for a DDOS
> (if the source address is spoofed) because the answer is not larger than
> the query, while letting legitimate clients retry over TCP and then
> getting a valid response.
>
> If you prefer so, you can drop all ANY queries with:
>
> addAction(QTypeRule(dnsdist.ANY), DropAction())
>
>
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160211/9c6b1786/attachment.html>
More information about the dnsdist
mailing list