nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Summary with further Question: Domain Name System protection

From: bmanning () vacation karoshi com
Date: Tue, 17 Aug 2004 03:57:17 +0000


1. ISPs use firewall to protect their DNS server;


        some do, some don't


4. Anycast is the most scalable and standard solution
for dispersed DNS server farm, while layer-4 switch
could deal could do with centralized server farm;


        its not a standard.


5. 'bogon'in BIND configuration could be used to
filter requests from RFC1918 address;


        this should be pushed to
        the router.  don't waste CPU cycles 
        on the Nameserver.


6. Firewall may become bottleneck of DNS server farm
in situation of DoS attack or situation of high
session rate;


        yes


7. It's good solution to divide DNS servers into two
groups, one for recursive lookup the other for
no-recuresive;


        yes


8. BIND should be configured carefully and there is
BIND secure template to follow


        altho the template will not meet every case.


a) If firewall is used to protect DNS server farm,
could it do more than router's ACL while reaching the
same performance-cost ratio ? which one is usually
chosen by those ISPs having big customer numbers? (we
noticed DNS requests from our customers keep increase
in past months) 


        general rule - drop undesired traffic as far
        upstream as possible.


b) Is there any public available performance
evaluation on Nominum's product? 


        you should check w/ the Nominum staff on any
        performance evaluations.



Any of your words will be highly appreciated.

Joe

__________________________________________________
Do You Yahoo!?
Download the latest ringtones, games, and more!
http://sg.mobile.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: