[148554] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Wed Jan 18 10:05:57 2012
X-Envelope-To: <nanog@nanog.org>
Date: Wed, 18 Jan 2012 15:05:06 +0000
From: Nick Hilliard <nick@foobar.org>
To: nanog@nanog.org
In-Reply-To: <D181DDABABE57E4DB72FEE0033147864480EDE@EALPO1.ukbroadband.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 18/01/2012 14:18, Leigh Porter wrote:
> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
> as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's become your problem. :-D
Seriously, though, there is no value to maintaining state for DNS queries.
You would be much better off to put your firewall production interfaces on
a routed port on a hardware router so that you can implement ASIC packet
filtering. This will operate at wire speed without dumping you into the
colloquial poo every time someone decides to take out your critical
infrastructure.
Nick
