nanog mailing list archives

Re: Recommended DNS server for a medium 20-30k users isp

From: Mel Beckman via NANOG <nanog () lists nanog org>
Date: Fri, 8 Aug 2025 16:08:52 +0000

Nick Hilliard said:
Withdrawing DNS service workers due to firewall state overloading can
cause cascading service failure which can take out an entire DNS
infrastructure within milliseconds. Don't ask me how I know this.
Also obviously works when n=1.
tl;dr: packet filters only for DNS, preferably in hardware. Don't ever
use state tracking

Nick,

Appropriately sized, HA firewall pairs mitigate this pretty handily. In my opinion, the days of not firewaling critical 
infrastructure are pretty much over. There are just two many potential vulnerabilites to expect packet filters alone to 
addres them.  If necessary, you can use multiple segregated firewalled networks for redundancy to mitigate cascading 
service failures.

  -mel

________________________________
From: Nick Hilliard via NANOG <nanog () lists nanog org>
Sent: Friday, August 8, 2025 4:05 AM
To: North American Network Operators Group <nanog () lists nanog org>
Cc: Nick Hilliard <nick () foobar org>
Subject: Re: Recommended DNS server for a medium 20-30k users isp

Saku Ytti via NANOG wrote on 08/08/2025 10:23:

Eventually you will manage to cause an issue, where all advertisements
are falsely pulled.


Someone up-thread mentioned firewalling DNS servers.

Withdrawing DNS service workers due to firewall state overloading can
cause cascading service failure which can take out an entire DNS
infrastructure within milliseconds. Don't ask me how I know this.

Also obviously works when n=1.

tl;dr: packet filters only for DNS, preferably in hardware. Don't ever
use state tracking.

Nick
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/UGOKLG42SE3GHENKGQMMO63RZ5GWOTM6/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/YV2SZHPCDC5WTH3R55S3JQ567HTEH3BI/

Current thread:

Re: Recommended DNS server for a medium 20-30k users isp, (continued)
- - - Re: Recommended DNS server for a medium 20-30k users isp Mike Hammett via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp brent saner via NANOG (Aug 07)
    - Re: Recommended DNS server for a medium 20-30k users isp Robert L Mathews via NANOG (Aug 08)
- Re: Recommended DNS server for a medium 20-30k users isp Marco Moock via NANOG (Aug 07)
- Re: Recommended DNS server for a medium 20-30k users isp William Herrin via NANOG (Aug 08)
  - Re: Recommended DNS server for a medium 20-30k users isp David Guo via NANOG (Aug 08)
- Re: Recommended DNS server for a medium 20-30k users isp Måns Nilsson via NANOG (Aug 08)
  - Re: Recommended DNS server for a medium 20-30k users isp Saku Ytti via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Måns Nilsson via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Nick Hilliard via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Nick Hilliard via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Łukasz Bromirski via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Måns Nilsson via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Saku Ytti via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Mark Andrews via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Tom Beecher via NANOG (Aug 10)
    - Re: Recommended DNS server for a medium 20-30k users isp Matthew Petach via NANOG (Aug 11)

(Thread continues...)