Open sabrinasadik opened 1 year ago
@delandtj this was supposed to be part of 3.11 release, will you be able to help or should it get moved to 3.12?
Beside limiting queries on zos network, we also should make sure that we always run some dns cache in all our images. (not sure what are the available options but i know of dnsmasq)
Rate-limit DNS queries for VMs to 15/sec to alleviate popular DNS amplification and reflector attacks
@sabrinasadik how we get the number(15)?
How about making the limit per X seconds (maybe X = 5, 10) instead of one second to accomodate burst of traffic from the users.
We can do the limit using nftables
(as suggested by Jan)
we also should make sure that we always run some dns cache in all our images
i fully agree with this and i think it should become mandatory thing to do.
In default ubuntu 24.04 installation on my PC and a digitalocean VM, i found that systemd-resolved
already used for the resolver + caching.
Rate-limit DNS queries for VMs to 15/sec to alleviate popular DNS amplification and reflector attacks