Domain Name System protection
Joe Shen
joe_hznm at yahoo.com.sg
Mon Aug 16 04:57:29 UTC 2004
Hi,
We are trying to extend our DNS service system in near
future. In current stage, it consist of 2 SUN FIRE
Server with Solaris8 and BIND9 installed. Each server
is configured with a IP address which is known to our
customers. The DNS server is set up as Cache Server
because it only servers our customers to lookup domain
names.
We noticed there is continous name resolution requests
from IP address outside of our address pool and also
there is requests not conforming to DNS documents (
like those from 10/8, 192.168/16 or something for
microsoft proxy server name). We think these request
waste our resource and we don't want these system
stable, secure and high performance.
The amount of DNS requests processed in past week is
about 0.8Billion.
What I'm not sure with designing new Cache Server farm
is :
1. Is that really required to protect DNS server by
firewall? How does those ISPs, e.g. AT&T, Sprint,mae
their DNS system highly available? Could we do that
by filtering traffic besides port destinated to port
53?
2. How could we extend our server farm by adding new
servers while announcing the same IP addresses to our
customers?
3. Is there any evaluation result of DNS server
software? e.g. performance, resource required,
stability, security etc.?
4. Which hardware/OS platform is better for DNS
service?
5. Is that possible to filter those requests not
conforming to DNS documents?
Each word will be highly appreciated!
Joe
__________________________________________________
Do You Yahoo!?
Download the latest ringtones, games, and more!
http://sg.mobile.yahoo.com
More information about the NANOG
mailing list