[Pdns-users] Feature request: disable-any-meta-query-type dns amplification attacks

Josh Sanders facil77 at gmail.com
Sat Dec 19 18:34:54 UTC 2015


Hello,

I just want to share this info for blocking dns amplification attacks

http://wiki.opennicproject.org/Tier2Security
https://gist.github.com/guerrerocarlos/5171614
http://www.junkemailfilter.com/blog/2013/03/03/how-to-block-dns-amplification-attack-isc-org-any-attack/

Merry Christmas !


‚Äč

On Fri, Dec 18, 2015 at 3:21 PM, Josh Sanders <facil77 at gmail.com> wrote:

> Thanks for your reply Bert,
>
> I am trying the iptables rules for stopping "questions"
> -m string --hex-string "|0000ff0001|"  and not allowing
> to overload my small DNSs.
>
>
>
> On Fri, Dec 18, 2015 at 3:01 PM, bert hubert <bert.hubert at powerdns.com>
> wrote:
>
>> On Fri, Dec 18, 2015 at 02:50:22PM -0600, Josh Sanders wrote:
>> > Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680:
>> > packetcache MISS
>> >
>> > As you may see, 'any-to-tcp=yes' seems to be not working so far ...
>>
>> Can you tcpdump? They could simply be sking the question, doesn't mean
>> they
>> have to *respect* your TC=1 answer. Since that is all we can do, set TC=1.
>> It does not stop the questions!
>>
>> We do provide a really small answer that way, which stops the
>> amplification
>> from working.
>>
>>         Bert
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20151219/aa69fc92/attachment.html>


More information about the Pdns-users mailing list