Re: DNS DoS ???

[John Adams <jna () retina net>]

I don't think anycast works the way you think it does. It'll distribute load
for single dns servers, but not the case that he is describing.

-j


On Sat, Jul 30, 2011 at 12:01 PM, Alex Nderitu <nderitualex () gmail com>wrote:

> Dns anycast can in addition to acl help distribute load.
>  On Jul 30, 2011 9:44 PM, "Jon Lewis" <jlewis () lewis org> wrote:
> > On Sat, 30 Jul 2011, Drew Weaver wrote:
> >
> > > > my DNS servers were getting slow so I blocked recursive queries for all
> > > > but my own network.
> > >
> > > This should be the standard practice. By operating an open recursor,
> > > you lend your DNS server to abuse as a contributor to DNS
> > > reflection/amplification attacks.
> > >
> > > -----------------------------------------------------------------------
> > >
> > > And at this point he may as well just ACL in-front of the recursors to
> > > prevent the traffic from hitting the servers thus reducing load needed
> > > to reject the queries on the servers themselves.
> >
> > An awful lot of older/smaller deployments have single servers doing both
> > authoratative and recursive DNS. These should be setup with either an
> > allow-recursion { ACL;} statement or separate authoratative and recursive
> > views limiting recursion to just those networks that should be sending
> > recursive queries.
> >
> > Another option is to run separate services bound to different individual
> > IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
> > unbound for recursion.
> >
> > ----------------------------------------------------------------------
> > Jon Lewis, MCP :) | I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________