Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

[Jared Mauch <jared () puck Nether net>]

On Tue, Aug 04, 2015 at 12:00:32PM -0400, Jared Mauch wrote:
> I recommend using DNSDIST to balance traffic at a protocol level as you can have implementation diversity on the 
> backside.

Here's an example dnsdist config you might find helpful:

        This sends queries to the first two servers unless
they are for domains in the "nether" pool list.  They go to
other servers.

        You can restrict access based on the Acl.

newServer("x.x.223.10")
newServer("x.x.223.20")
;setServerPolicy(firstAvailable) -- first server within its QPS limit
setServerPolicy(leastOutstanding)
webserver("0.0.0.0:8083", "AskMe")
addACL("192.168.0.0/22")
addACL("10.0.0.0/16")
addACL("172.16.22.0/24")
setKey("AskMe")
controlSocket("127.0.0.1:1099")
newServer{address="129.250.35.250", pool="nether"}
newServer{address="129.250.35.251", pool="nether"}
newServer{address="8.8.8.8", pool="nether"}
addPoolRule({"ntt.net.", "nether.net."}, "nether")
addPoolRule({"arpa.", "google.", "gmail.com.", "google.com.", "googlemail.com."}, "nether")


-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.