Stopping ddos

[Nathan Ollerenshaw]

On 8/2/22 3:29 PM, Robert Moskowitz wrote:

> My clients use my internal view.  My external view has:
> 
>      match-clients        { any; };
>      match-destinations    { any; };
>      allow-query        { any; };
>      allow-query-cache    { localhost; };
>      recursion no;

it's been a while but I don't think you need to respond to requests for 
'.' ... so I think you can block access to all zones except the one you 
want to respond for.

> I am way behind the times, as I really have not made any significant 
> changes to my config for a couple years.  Things have been stable.
> 
> And I am running CentOS7-arm which only has 9.11.4...
> 
> BTW, I am in the market for a 'affordable' DNS box to run here and get 
> out of the business of maintaining my own software.  I am approaching 
> 72, and not something I want to do anymore.  And I have not see a 
> service provider that would let me really config my own zone files...

I was in the same boat and ended up shifting my personal stuff to 
Route53 in Amazon AWS. It costs like, $1 a month per zone to host and 
nobody is going to be killing Route53.

You can configure all the records in the zone however you like, and 
there are APIs if you want to script things so things like a residential 
network connection you can have it update it's A record in Route53 with 
a script when the IP changes.