[148555] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Jan 18 10:42:23 2012
In-Reply-To: <4F16DFA2.8030208@foobar.org>
Date: Wed, 18 Jan 2012 10:41:30 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Nick Hilliard <nick@foobar.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick@foobar.org> wrote:
> On 18/01/2012 14:18, Leigh Porter wrote:
>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>> as it is not *my* firewalls I really don't care what they do ;-)
>
> As you're posting here, it looks like it's become your problem. :-D
>
> Seriously, though, there is no value to maintaining state for DNS queries=
.
> =A0You would be much better off to put your firewall production interface=
s on
> a routed port on a hardware router so that you can implement ASIC packet
> filtering. =A0This will operate at wire speed without dumping you into th=
e
> colloquial poo every time someone decides to take out your critical
> infrastructure.
I get the feeling that leigh had implemented this against his own
advice for a client... that he's onboard with 'putting a firewall in
front of a dns server is dumb' meme...
