DNS DoS ???

Mike Sabbota mike at sabbota.com
Sat Jul 30 19:15:32 UTC 2011


With these types of attacks, usually anycast will cause rolling
outages. Anycast gives you failover, which makes sure the attack (and
good) traffic makes it to the next available server to be impaired or
taken offline.



On Jul 30, 2011, at 1:01 PM, Alex Nderitu <nderitualex at gmail.com> wrote:

> Dns anycast can in addition to acl help distribute load.
> On Jul 30, 2011 9:44 PM, "Jon Lewis" <jlewis at lewis.org> wrote:
>> On Sat, 30 Jul 2011, Drew Weaver wrote:
>>
>>>> my DNS servers were getting slow so I blocked recursive queries for all
>>>> but my own network.
>>>
>>> This should be the standard practice. By operating an open recursor,
>>> you lend your DNS server to abuse as a contributor to DNS
>>> reflection/amplification attacks.
>>>
>>> -----------------------------------------------------------------------
>>>
>>> And at this point he may as well just ACL in-front of the recursors to
>>> prevent the traffic from hitting the servers thus reducing load needed
>>> to reject the queries on the servers themselves.
>>
>> An awful lot of older/smaller deployments have single servers doing both
>> authoratative and recursive DNS. These should be setup with either an
>> allow-recursion { ACL;} statement or separate authoratative and recursive
>> views limiting recursion to just those networks that should be sending
>> recursive queries.
>>
>> Another option is to run separate services bound to different individual
>> IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
>> unbound for recursion.
>>
>> ----------------------------------------------------------------------
>> Jon Lewis, MCP :) | I route
>> Senior Network Engineer | therefore you are
>> Atlantic Net |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>>




More information about the NANOG mailing list