[73221] in North American Network Operators' Group
Re: Summary with further Question: Domain Name System protection
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Mon Aug 16 23:57:51 2004
Date: Tue, 17 Aug 2004 03:57:17 +0000
From: bmanning@vacation.karoshi.com
To: Joe Shen <joe_hznm@yahoo.com.sg>
Cc: Bill Woodcock <woody@pch.net>, nanog@merit.edu
In-Reply-To: <20040817030304.26432.qmail@web90006.mail.scd.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu
> 1. ISPs use firewall to protect their DNS server;
some do, some don't
> 4. Anycast is the most scalable and standard solution
> for dispersed DNS server farm, while layer-4 switch
> could deal could do with centralized server farm;
its not a standard.
> 5. 'bogon'in BIND configuration could be used to
> filter requests from RFC1918 address;
this should be pushed to
the router. don't waste CPU cycles
on the Nameserver.
> 6. Firewall may become bottleneck of DNS server farm
> in situation of DoS attack or situation of high
> session rate;
yes
> 7. It's good solution to divide DNS servers into two
> groups, one for recursive lookup the other for
> no-recuresive;
yes
> 8. BIND should be configured carefully and there is
> BIND secure template to follow
altho the template will not meet every case.
> a) If firewall is used to protect DNS server farm,
> could it do more than router's ACL while reaching the
> same performance-cost ratio ? which one is usually
> chosen by those ISPs having big customer numbers? (we
> noticed DNS requests from our customers keep increase
> in past months)
general rule - drop undesired traffic as far
upstream as possible.
> b) Is there any public available performance
> evaluation on Nominum's product?
you should check w/ the Nominum staff on any
performance evaluations.
>
> Any of your words will be highly appreciated.
>
> Joe
>
> __________________________________________________
> Do You Yahoo!?
> Download the latest ringtones, games, and more!
> http://sg.mobile.yahoo.com
