Summary with further Question: Domain Name System protection
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Tue Aug 17 03:57:17 UTC 2004
> 1. ISPs use firewall to protect their DNS server;
some do, some don't
> 4. Anycast is the most scalable and standard solution
> for dispersed DNS server farm, while layer-4 switch
> could deal could do with centralized server farm;
its not a standard.
> 5. 'bogon'in BIND configuration could be used to
> filter requests from RFC1918 address;
this should be pushed to
the router. don't waste CPU cycles
on the Nameserver.
> 6. Firewall may become bottleneck of DNS server farm
> in situation of DoS attack or situation of high
> session rate;
yes
> 7. It's good solution to divide DNS servers into two
> groups, one for recursive lookup the other for
> no-recuresive;
yes
> 8. BIND should be configured carefully and there is
> BIND secure template to follow
altho the template will not meet every case.
> a) If firewall is used to protect DNS server farm,
> could it do more than router's ACL while reaching the
> same performance-cost ratio ? which one is usually
> chosen by those ISPs having big customer numbers? (we
> noticed DNS requests from our customers keep increase
> in past months)
general rule - drop undesired traffic as far
upstream as possible.
> b) Is there any public available performance
> evaluation on Nominum's product?
you should check w/ the Nominum staff on any
performance evaluations.
>
> Any of your words will be highly appreciated.
>
> Joe
>
> __________________________________________________
> Do You Yahoo!?
> Download the latest ringtones, games, and more!
> http://sg.mobile.yahoo.com
More information about the NANOG
mailing list