DNS DoS ???

Sat Jul 30 19:04:16 UTC 2011

I don't think anycast works the way you think it does. It'll distribute load
for single dns servers, but not the case that he is describing.

-j

On Sat, Jul 30, 2011 at 12:01 PM, Alex Nderitu <nderitualex at gmail.com>wrote:

> Dns anycast can in addition to acl help distribute load.
>  On Jul 30, 2011 9:44 PM, "Jon Lewis" <jlewis at lewis.org> wrote:
> > On Sat, 30 Jul 2011, Drew Weaver wrote:
> >
> >>> my DNS servers were getting slow so I blocked recursive queries for all
> >>> but my own network.
> >>
> >> This should be the standard practice. By operating an open recursor,
> >> you lend your DNS server to abuse as a contributor to DNS
> >> reflection/amplification attacks.
> >>
> >> -----------------------------------------------------------------------
> >>
> >> And at this point he may as well just ACL in-front of the recursors to
> >> prevent the traffic from hitting the servers thus reducing load needed
> >> to reject the queries on the servers themselves.
> >
> > An awful lot of older/smaller deployments have single servers doing both
> > authoratative and recursive DNS. These should be setup with either an
> > allow-recursion { ACL;} statement or separate authoratative and recursive
> > views limiting recursion to just those networks that should be sending
> > recursive queries.
> >
> > Another option is to run separate services bound to different individual
> > IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
> > unbound for recursion.
> >
> > ----------------------------------------------------------------------
> > Jon Lewis, MCP :) | I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> >
>