how to defense against ddos attack to dns?

Mark Andrews marka at
Tue Nov 17 01:19:53 UTC 2009

In message <BLU149-W13EF74E1E2EBA2FE9DD3F385A40 at phx.gbl>, MontyRee writes:
> Hello, all.
> I have operated some dns servers and I'm curious what should I do if 
> ddos attck to my dns servers.
> So do you know how to defense against dns dddos attack like root server?
> Surely, various ddos attack may be occurred.
> My idea is..
> -. filtering 53/udp traffic that the byte is over 512 byte
> -. rate-limit against 53/udp queries
>    (but useless if the attack spoof the source ip)
> -. deny recursion 
> -. anycast?
> Is ther any comments or proposal?

How you defend against a DoS attack depends on the actual attack
and what services you are attempting to provide and to whom.  You
want to minimise collateral damage and some of the methods above
are likely to introduce collateral damage.

> Thanks in advance. 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list