[EXT] Fwd: Re: problems sending to prodigy.net hosted email

Tue Mar 20 17:15:25 UTC 2018

If this isn't pertinent to the list, feel free to answer privately. How did you implement the server that got rid of ARP storms?

Charles Bronson

-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Stephen Satchell
Sent: Monday, March 19, 2018 9:31 PM
To: nanog at nanog.org
Subject: [EXT] Fwd: Re: problems sending to prodigy.net hosted email

Two DNS servers hosted on one box (or VM object), even with two addresses, is easily compromised by DDoS amplification attacks.  That's the norm for a number of "web control panel" systems like Plesk and CPanel.

It depends on the scale of your operations.  Last time I was in that situation, I had roughly 25,000 domains spread across 30 servers.  Life became MUCH simpler when I put up dedicated, and high-power, physical systems running non-recursive BIND for DNS1 and DNS2, as well as another pair of boxes running recursive servers as DNS3 and DNS4.

Getting QMail and Exim to "smart host" to my monster MX servers proved to be pretty easy, and I even was able to get the web servers to tell me when a mailbox was full so I could reject the SMTP exchange at the edge, instead of generating backscatter.

And, with a pool of roughly 4,000 IP addresses, I got rid of ARP storms in our network by putting up a little server called "ackbar", that was configured to respond to all otherwise unused IP address in our pool. 
(Edge routers were Cisco 7000 class, with DS3 uplinks.)

Lessons learned well.

-------- Forwarded Message --------
Subject: Re: problems sending to prodigy.net hosted email
Date: Mon, 19 Mar 2018 17:55:33 +0100
From: Chris <chris2014 at postbox.xyz>
To: C. Jon Larsen <jlarsen at richweb.com>
CC: nanog at nanog.org

On Mon, 19 Mar 2018 11:56:16 -0400 (EDT) C. Jon Larsen wrote:

> > Why not? Never had a problem with multiple services on linux, in 
> > contrast to windows where every service requires its own box (or at 
> > least vm).
> 
> Go for it ! Failure is an awesome teacher :)

Don't really see a problem, especially since you normally always have two DNS servers...

--
Papst Franziskus ruft zum Kampf gegen Fake News auf. Wir finden, der Mann, der sich als Stellvertreter Christi ausgibt, von dem er behauptet, dessen Mutter sei zeitlebens Jungfrau gewesen, er hätte über Wasser gehen und selbiges in Wein verwandeln können, hat vollkommen recht.