On 2012-09-17 15:31, Sean Walberg wrote:
On Mon, Sep 17, 2012 at 3:28 PM, Paul Sierks <psierks@sierkstech.net mailto:psierks@sierkstech.net> wrote:
Sorry for any confusion, of which I'm sure I'm about to add to. But this particular box doesn't have an internal network, just one interface on the internet. Also I think a lot of the problem in my case is the allowed IP addresses change on a regular basis, quite often.
Paul, are you saying that your "allowed" IP addresses are just out there on the Internet at large, and not on an internal network? In that case, I'd have to agree with Sean:
Then I think we're back at Gille's original response -- don't do it! :) There are many better public DNS servers out there, such as Google/s 8.8.8.8 and 8.8.4.4.
Failing that, mitigate the risk with an iptables filter to prevent your host from being the source of the DDOS.
That would be a good strategy, but you have to set this up carefully to make sure you're not interfering with normal DNS activity. You might be able to cobble something together, e.g. using the "recent" module, but setting thresholds might be tricky.
Sean, do you have a working iptables example that you've used? I've used the "recent" module on services like SSH, POP, and IMAP, but not for DNS.