nanog mailing list archives
Re: Summary with further Question: Domain Name System protection
From: sthaug () nethelp no
Date: Tue, 17 Aug 2004 11:03:27 +0200
1. ISPs use firewall to protect their DNS server;
Depends. You don't normally need a full fledged (stateful) firewall. Normal (stateless) router access lists are just fine.
2. ACL on router may be a good solution for protecting DNS servers, the policy could be "only pass those packets, whose originate from incustomers' IP address blocks and destinate to UDP port 53 of DNS server";
In general, allow only relevant traffic. That may be a bit more than just UDP port 53: You really want to allow TCP based DNS queries also, and your name server probably needs SSH, NTP and similar.
5. 'bogon'in BIND configuration could be used to filter requests from RFC1918 address;
Better to do it on the router.
6. Firewall may become bottleneck of DNS server farm in situation of DoS attack or situation of high session rate;
Routers with hardware based access lists. No problem.
b) Is there any public available performance evaluation on Nominum's product?
See Brad Knowles' tests: http://www.ripe.net/ripe/meetings/archive/ripe-44/presentations/ripe44-dns-dnscomp.pdf We currently have the Nominum CNS on trial here, and we are very impressed. It performs much better than BIND 8/9 - our measurements show even greater differences than Brad Knowles' tests. Example: One server running BIND 9 shows more than 30% CPU usage during peak hours, but only 2-3% with Nominum CNS. We also have the issue that BIND 9 seems to start *failing* when it reaches a certain cache size (as in: Some queries are either not answered at all, or they are answered with SERVFAIL). Steinar Haug, Nethelp consulting, sthaug () nethelp no
Current thread:
- Re: Summary with further Question: Domain Name System protection, (continued)
- Re: Summary with further Question: Domain Name System protection Jeff Aitken (Aug 17)
- filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) David A. Ulevitch (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Jared Mauch (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Patrick W Gilmore (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
- Re: Summary with further Question: Domain Name System protection sthaug (Aug 17)
- Re: Summary with further Question: Domain Name System protection Joe Shen (Aug 17)
- Re: Summary with further Question: Domain Name System protection sthaug (Aug 17)
- Re: Domain Name System protection Bruce Pinsky (Aug 16)