Summary with further Question: Domain Name System protection

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Tue Aug 17 03:57:17 UTC 2004


> 1. ISPs use firewall to protect their DNS server;

	some do, some don't

> 4. Anycast is the most scalable and standard solution
> for dispersed DNS server farm, while layer-4 switch
> could deal could do with centralized server farm;

	its not a standard.

> 5. 'bogon'in BIND configuration could be used to
> filter requests from RFC1918 address;

	this should be pushed to
	the router.  don't waste CPU cycles 
	on the Nameserver.

> 6. Firewall may become bottleneck of DNS server farm
> in situation of DoS attack or situation of high
> session rate;

	yes

> 7. It's good solution to divide DNS servers into two
> groups, one for recursive lookup the other for
> no-recuresive;

	yes

> 8. BIND should be configured carefully and there is
> BIND secure template to follow

	altho the template will not meet every case.

> a) If firewall is used to protect DNS server farm,
> could it do more than router's ACL while reaching the
> same performance-cost ratio ? which one is usually
> chosen by those ISPs having big customer numbers? (we
> noticed DNS requests from our customers keep increase
> in past months) 

	general rule - drop undesired traffic as far
	upstream as possible.

> b) Is there any public available performance
> evaluation on Nominum's product? 

	you should check w/ the Nominum staff on any
	performance evaluations.

> 
> Any of your words will be highly appreciated.
> 
> Joe
> 
> __________________________________________________
> Do You Yahoo!?
> Download the latest ringtones, games, and more!
> http://sg.mobile.yahoo.com



More information about the NANOG mailing list