DNS Amplification Attack Mitigation

Fr34k freaknetboy at yahoo.com
Fri Mar 9 15:30:04 UTC 2012


I am (we all are (?)) interested in techniques for mitigating DNS amplification attacks for both recursive and authoritative BIND servers (versions 9.x).

Google found http://www.secureworks.com/research/threats/dns-amplification/ and http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-011-eng.aspx
which mention limiting clients via ACLs and using "additional-from-cache no;" as mitigation techniques.

Good articles, but written several years ago so there might be additional configuration suggestions from the community since 2009.
Are there and, if so, what are they?
Perhaps said another way, what other named.conf settings could we be looking at in this effort?

Thank you.

More information about the bind-users mailing list