On 03/28/2013 04:51 AM, Norman Rieß wrote:
> Hello,
> 
> i am using pdns recursor to provide a dns server which should be usable
> for everybody.The problem is, that the server seems to be used in dns
> amplification attacks.
> I googled around on how to prevent this but did not really find
> something usefull.
> 
> Does anyone got an idea about this?

I'm not sure it can be done. You can't make a resolver available to
"everybody" without somebody in that "everybody" group abusing it, and
that's exacly what happens in a DNS amplification attack.

Restrict your resolver to be accessible only to your network or, at
most, those of the specific group of people you're seeking to help.

You *might* try restricting the resolver to only respond to TCP requests
rather than UDP requests, but if the resolver sends response data along
with that first SYN+ACK, then nothing is solved, and you've opened
yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
went offline as a result of a SYN flood, at least it wouldn't be part of
an amplification attack any longer...)