On 10/1/16 8:36 AM, A. Schulze wrote: > Hello, > > a nsd user posted an interesting question: > https://open.nlnetlabs.nl/pipermail/nsd-users/2016-September/002364.html > >> Could we eliminate the DDoS threat by just turning off UDP? >> >> Recursive servers I understand probably have to keep accepting them, >> but authoritative servers are only intended for recursive servers to >> query, so would it be safe to just drop port 53 UDP requests? > > are there any experiences/opinions on that? > Andreas Recursing resolvers expect to be able to contact an authoritative nameserver on udp 53, so if you just drop that in a hole that is going to be kinda of a problem because they're going to time out.
There is a bit of an art to protecting servers from packets that they shouldn't be recieving. just because it has to listen on udp 53 does no mean it has to be able to recieve udp traffic for all other dports.it's own queries for example could be done with a different source ip. Once you get beyond (dns / ntp) reflection though theres no particular reasion why a volumetric dos attack needs to use the UDP header. For that matter the traffic doesn't even need to splash on the target host to be effective if the goal is bandwidth consumption. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
