[143139] in North American Network Operators' Group
RE: DNS DoS ???
daemon@ATHENA.MIT.EDU (Alex Nderitu)
Sat Jul 30 15:01:57 2011
In-Reply-To: <Pine.LNX.4.61.1107301438390.3994@soloth.lewis.org>
Date: Sat, 30 Jul 2011 22:01:23 +0300
From: Alex Nderitu <nderitualex@gmail.com>
To: Jon Lewis <jlewis@lewis.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dns anycast can in addition to acl help distribute load.
On Jul 30, 2011 9:44 PM, "Jon Lewis" <jlewis@lewis.org> wrote:
> On Sat, 30 Jul 2011, Drew Weaver wrote:
>
>>> my DNS servers were getting slow so I blocked recursive queries for all
>>> but my own network.
>>
>> This should be the standard practice. By operating an open recursor,
>> you lend your DNS server to abuse as a contributor to DNS
>> reflection/amplification attacks.
>>
>> -----------------------------------------------------------------------
>>
>> And at this point he may as well just ACL in-front of the recursors to
>> prevent the traffic from hitting the servers thus reducing load needed
>> to reject the queries on the servers themselves.
>
> An awful lot of older/smaller deployments have single servers doing both
> authoratative and recursive DNS. These should be setup with either an
> allow-recursion { ACL;} statement or separate authoratative and recursive
> views limiting recursion to just those networks that should be sending
> recursive queries.
>
> Another option is to run separate services bound to different individual
> IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
> unbound for recursion.
>
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
