Comment by immibis 1 day ago How do you secure it against being used as a reflector in a UDP amplification attack? 2 comments immibis Reply toast0 1 day ago Probably rate limits, making sure response minification is fully enabled, and maybe set a low truncation size?You can't run a public service without reflecting something, but you can endeavour to make the reflection ratio small. exiguus 20 hours ago dnsdist support QPS limits [1] and eBPF filtering [2]. And you can use dynamic Rules to drop traffic and there are several rules to set UDP and TCP limits.A in production config looks like: https://github.com/freifunkMUC/ffmuc-salt-public/blob/main/d...[1] https://www.dnsdist.org/advanced/qpslimits.html[2] https://www.dnsdist.org/advanced/ebpf.html
toast0 1 day ago Probably rate limits, making sure response minification is fully enabled, and maybe set a low truncation size?You can't run a public service without reflecting something, but you can endeavour to make the reflection ratio small.
exiguus 20 hours ago dnsdist support QPS limits [1] and eBPF filtering [2]. And you can use dynamic Rules to drop traffic and there are several rules to set UDP and TCP limits.A in production config looks like: https://github.com/freifunkMUC/ffmuc-salt-public/blob/main/d...[1] https://www.dnsdist.org/advanced/qpslimits.html[2] https://www.dnsdist.org/advanced/ebpf.html
Probably rate limits, making sure response minification is fully enabled, and maybe set a low truncation size?
You can't run a public service without reflecting something, but you can endeavour to make the reflection ratio small.
dnsdist support QPS limits [1] and eBPF filtering [2]. And you can use dynamic Rules to drop traffic and there are several rules to set UDP and TCP limits.
A in production config looks like: https://github.com/freifunkMUC/ffmuc-salt-public/blob/main/d...
[1] https://www.dnsdist.org/advanced/qpslimits.html
[2] https://www.dnsdist.org/advanced/ebpf.html