Quote:
Originally Posted by hesisaboury
for info ,it was DNS Amplification Attack
|
The .options limiting you did looks good to me but if you search this forum you'll find some recent threads about DNS amplification attacks
this including links to NS best practices like CYMRU's ISC BIND templates, etc, etc. (Additionally
this provides a nice write-up.) Just saying because there's a difference between utilizing ISC BIND as a caching name service for say only LAN clients and exposing it publicly, being the authoritative name server for domains. In the first case
Code:
allow-recursion { any; };
is useful, in the latter it is not. *Reading those docs you could conclude the iptables limit module may be helpful,
only as an additional measure, because using it
does not address the core problem.