Summary with further Question: Domain Name System protection

sthaug at nethelp.no sthaug at nethelp.no
Tue Aug 17 09:03:27 UTC 2004


> 1. ISPs use firewall to protect their DNS server;

Depends. You don't normally need a full fledged (stateful) firewall.
Normal (stateless) router access lists are just fine.

> 2. ACL on router may be a good solution for protecting
> DNS servers, the policy could be  "only pass those
> packets, whose originate from incustomers' IP address
> blocks and destinate to UDP port 53 of DNS server"; 

In general, allow only relevant traffic. That may be a bit more than
just UDP port 53: You really want to allow TCP based DNS queries also,
and your name server probably needs SSH, NTP and similar.

> 5. 'bogon'in BIND configuration could be used to
> filter requests from RFC1918 address;

Better to do it on the router.

> 6. Firewall may become bottleneck of DNS server farm
> in situation of DoS attack or situation of high
> session rate;

Routers with hardware based access lists. No problem.

> b) Is there any public available performance
> evaluation on Nominum's product? 

See Brad Knowles' tests:

http://www.ripe.net/ripe/meetings/archive/ripe-44/presentations/ripe44-dns-dnscomp.pdf

We currently have the Nominum CNS on trial here, and we are very 
impressed. It performs much better than BIND 8/9 - our measurements
show even greater differences than Brad Knowles' tests. Example: One
server running BIND 9 shows more than 30% CPU usage during peak hours,
but only 2-3% with Nominum CNS. We also have the issue that BIND 9
seems to start *failing* when it reaches a certain cache size (as in:
Some queries are either not answered at all, or they are answered
with SERVFAIL).

Steinar Haug, Nethelp consulting, sthaug at nethelp.no



More information about the NANOG mailing list