Summary with further Question: Domain Name System protection
sthaug at nethelp.no
sthaug at nethelp.no
Tue Aug 17 09:03:27 UTC 2004
> 1. ISPs use firewall to protect their DNS server;
Depends. You don't normally need a full fledged (stateful) firewall.
Normal (stateless) router access lists are just fine.
> 2. ACL on router may be a good solution for protecting
> DNS servers, the policy could be "only pass those
> packets, whose originate from incustomers' IP address
> blocks and destinate to UDP port 53 of DNS server";
In general, allow only relevant traffic. That may be a bit more than
just UDP port 53: You really want to allow TCP based DNS queries also,
and your name server probably needs SSH, NTP and similar.
> 5. 'bogon'in BIND configuration could be used to
> filter requests from RFC1918 address;
Better to do it on the router.
> 6. Firewall may become bottleneck of DNS server farm
> in situation of DoS attack or situation of high
> session rate;
Routers with hardware based access lists. No problem.
> b) Is there any public available performance
> evaluation on Nominum's product?
See Brad Knowles' tests:
http://www.ripe.net/ripe/meetings/archive/ripe-44/presentations/ripe44-dns-dnscomp.pdf
We currently have the Nominum CNS on trial here, and we are very
impressed. It performs much better than BIND 8/9 - our measurements
show even greater differences than Brad Knowles' tests. Example: One
server running BIND 9 shows more than 30% CPU usage during peak hours,
but only 2-3% with Nominum CNS. We also have the issue that BIND 9
seems to start *failing* when it reaches a certain cache size (as in:
Some queries are either not answered at all, or they are answered
with SERVFAIL).
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the NANOG
mailing list