On 03/28/2013 04:51 AM, Norman Rieß wrote: > Hello, > > i am using pdns recursor to provide a dns server which should be usable > for everybody.The problem is, that the server seems to be used in dns > amplification attacks. > I googled around on how to prevent this but did not really find > something usefull. > > Does anyone got an idea about this?
I'm not sure it can be done. You can't make a resolver available to "everybody" without somebody in that "everybody" group abusing it, and that's exacly what happens in a DNS amplification attack. Restrict your resolver to be accessible only to your network or, at most, those of the specific group of people you're seeking to help. You *might* try restricting the resolver to only respond to TCP requests rather than UDP requests, but if the resolver sends response data along with that first SYN+ACK, then nothing is solved, and you've opened yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver went offline as a result of a SYN flood, at least it wouldn't be part of an amplification attack any longer...)
signature.asc
Description: OpenPGP digital signature
