These are chat archives for CZ-NIC/knot-resolver

8th
Sep 2018
Héctor Molinero Fernández
@hectorm
Sep 08 2018 11:13
Hi, I would like to know what precautions I should take if I want to expose Knot Resolver to the public. I'm especially worried about amplification attacks. Is there any example configuration that implements measures to mitigate this type of attacks?
Vladimír Čunát
@vcunat
Sep 08 2018 16:28
@hectorm: the most usual precautions are (1) firewall dropping packets to that IP from outside or (2) service not even listening on a public IP. For UDP the source address is easy to spoof, so you kresd itself can't know for sure who asks and thus you'd better filter on network perimeter.