| ▲ | nubinetwork 5 days ago | ||||||||||||||||
This sounds like bad advice, I don't know why ISC is pushing this... they would be better off trying to make DNS a TCP-only service to stop amplification attacks. | |||||||||||||||||
| ▲ | bogantech 5 days ago | parent | next [-] | ||||||||||||||||
> This sounds like bad advice Please elaborate. As they say a typical DNS request comes in as one packet and is replied in one packet, there is no ongoing connection so there's no point keeping tracking information. The implication of not tracking the connection is that any packets will have to match a more specific rule than the "allow established,related" at the top of the firewall chain. > they would be better off trying to make DNS a TCP-only service to stop amplification attacks. Sure, lets get literally everyone on the intenet to agree to a new version of DNS that uses TCP... Even if you do that - the problem moves from conntrack filling up we can fill up on ephemeral ports stuck in TIME_WAIT because some genius thought a service that doesn't maintain a connection should use TCP | |||||||||||||||||
| |||||||||||||||||
| ▲ | citrin_ru 5 days ago | parent | prev | next [-] | ||||||||||||||||
TCP is less efficient for request-response protocol. The root of the problem (DDoS with amplification) IMHO is not DNS but ISPs which allow to spoof source addresses. Most don’t allow. RFC2827 (BCP38) was published >20 years ago and the problem was not new even back then. How bad guys find ISP (or hostings) permitting src IP spoofing? Is there a way to encourage such ISP to follow BCP38? | |||||||||||||||||
| |||||||||||||||||
| ▲ | Dylan16807 5 days ago | parent | prev [-] | ||||||||||||||||
If you want to stop UDP DNS from being able to amplify, require bigger query datagrams. | |||||||||||||||||
| |||||||||||||||||