[Pdns-users] DDos Reflector

Augie Schwer augie.schwer at gmail.com
Wed Jan 21 22:23:06 UTC 2009

On Mon, Jan 19, 2009 at 11:41 AM, Christof Meerwald <cmeerw at cmeerw.org> wrote:
> Is there anything a DNS server/PowerDNS can do to avoid being used as a DDoS
> reflector, like rate-limiting SERVFAILs per IP address? What's the general
> opinion?

For this particular attack you could set "send-root-referral=no"; that
will make sure PowerDNS does not answer the "dig ns . @ns-server"
query which this attack uses.

Augie Schwer    -    Augie at Schwer.us    -    http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072

More information about the Pdns-users mailing list