nanog mailing list archives
Re: DNS Attacks
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 18 Jan 2012 10:41:30 -0500
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick () foobar org> wrote:
On 18/01/2012 14:18, Leigh Porter wrote:Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)As you're posting here, it looks like it's become your problem. :-D Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC packet filtering. This will operate at wire speed without dumping you into the colloquial poo every time someone decides to take out your critical infrastructure.
I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme...
Current thread:
- Re: DNS Attacks, (continued)
- Re: DNS Attacks Christopher Morrow (Jan 17)
- Re: DNS Attacks Leigh Porter (Jan 17)
- Re: DNS Attacks Dobbins, Roland (Jan 18)
- Re: DNS Attacks Joel jaeggli (Jan 18)
- Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- Re: DNS Attacks Dennis (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)
- Re: DNS Attacks Nick Hilliard (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Steven Bellovin (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Cameron Byrne (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)