nanog mailing list archives

Re: Recommended DNS server for a medium 20-30k users isp

From: Łukasz Bromirski via NANOG <nanog () lists nanog org>
Date: Sat, 9 Aug 2025 10:05:01 +0200

Yeah,

As a person that in my $dailyjob builds hardware firewalls (so called NGFWs but also "SP class" boxes), I can assure
you properly configured DNS servers can absolutely defend themselves. If they need protection, you're doing it wrong.
And there are design choices (load balancers, ECMP/UCMP, anycast) that makes these designs scale and switch over
without any problems if additional "capabilities" don't go in their way. Adding stateful firewall in front of them is
waste of good hardware. More over, if you insist on doing so, you'll likely suffer from state exhaustion or self-DDoS
at one point in time. That typically leads you to blame firewall vendor, and not your poor thinking, design or planning
skills. Don't do that. KISS is decent design practice. Doing "tricks" with firewall may be relevant to Enterprise type
of deployment, where "fusing" DNS info with other pieces (identity, data plane telemetry, etc) is typically element of
your security architecture (and defense).

What is way more useful for layered defence is applying QoS on upstream switch/router if it is enforced in hardware.
"QoS" as expressed in maximum packets/second (which are roughly requests), not as in bits/second (which is pretty
useless). That is, if you do know your rough levels exceeding which makes your server behave in less stable/predictable
way. This is hardly unique or innovative though.

I did deploy myself, and helped others to deploy FreeBSD-based BIND and nsd+unbound anycasted DNS servers. Biggest one
(two pairs of Xeon based servers) was handling requests from ~3 million users while mostly idling last time I checked.
And that was couple of years ago. I know it's still in production and handling "more". The only firewall they have is
pf with pretty generic set of rules to drop host attacks and protect management access, DNS traffic is unfiltered as it
doesn't make any sense.

--
./

On 8 Aug 2025, at 18:20, Nick Hilliard via NANOG <nanog () lists nanog org> wrote:

Mel Beckman wrote on 08/08/2025 17:08:

Appropriately sized, HA firewall pairs mitigate this pretty handily.


Mel,

Please don't let me stop you from doing this. The failure modes are really quite entertaining, at least from a 
distance. Anyone got popcorn?

Nick
_______________________________________________
NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog 
org/message/H5WQB2KFAQTYBOJHG6MIONXV4JIUICMT/


_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/UX4IGFEXHJD5LIX5ITPUQK3HGDJPP23R/

Current thread:

Re: Recommended DNS server for a medium 20-30k users isp, (continued)
- Re: Recommended DNS server for a medium 20-30k users isp Marco Moock via NANOG (Aug 07)
- Re: Recommended DNS server for a medium 20-30k users isp William Herrin via NANOG (Aug 08)
  - Re: Recommended DNS server for a medium 20-30k users isp David Guo via NANOG (Aug 08)
- Re: Recommended DNS server for a medium 20-30k users isp Måns Nilsson via NANOG (Aug 08)
  - Re: Recommended DNS server for a medium 20-30k users isp Saku Ytti via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Måns Nilsson via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Nick Hilliard via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Nick Hilliard via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 08)
    - Re: Recommended DNS server for a medium 20-30k users isp Łukasz Bromirski via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Måns Nilsson via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Saku Ytti via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Mel Beckman via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Mark Andrews via NANOG (Aug 09)
    - Re: Recommended DNS server for a medium 20-30k users isp Tom Beecher via NANOG (Aug 10)
    - Re: Recommended DNS server for a medium 20-30k users isp Matthew Petach via NANOG (Aug 11)
    - Re: Recommended DNS server for a medium 20-30k users isp William Herrin via NANOG (Aug 11)
    - Re: Recommended DNS server for a medium 20-30k users isp Matthew Petach via NANOG (Aug 11)
    - Re: Recommended DNS server for a medium 20-30k users isp William Herrin via NANOG (Aug 11)

(Thread continues...)