These are chat archives for CZ-NIC/knot-resolver

Sep 2018
Héctor Molinero Fernández
Sep 08 2018 11:13
Hi, I would like to know what precautions I should take if I want to expose Knot Resolver to the public. I'm especially worried about amplification attacks. Is there any example configuration that implements measures to mitigate this type of attacks?
Vladimír Čunát
Sep 08 2018 16:28
@hectorm: the most usual precautions are (1) firewall dropping packets to that IP from outside or (2) service not even listening on a public IP. For UDP the source address is easy to spoof, so you kresd itself can't know for sure who asks and thus you'd better filter on network perimeter.