DNS DoS ???

[nderitualex at gmail.com (Alex Nderitu)]

Dns anycast can in addition to acl help distribute load.
 On Jul 30, 2011 9:44 PM, "Jon Lewis" <jlewis at lewis.org> wrote:
> On Sat, 30 Jul 2011, Drew Weaver wrote:
>
>>> my DNS servers were getting slow so I blocked recursive queries for all
>>> but my own network.
>>
>> This should be the standard practice. By operating an open recursor,
>> you lend your DNS server to abuse as a contributor to DNS
>> reflection/amplification attacks.
>>
>> -----------------------------------------------------------------------
>>
>> And at this point he may as well just ACL in-front of the recursors to
>> prevent the traffic from hitting the servers thus reducing load needed
>> to reject the queries on the servers themselves.
>
> An awful lot of older/smaller deployments have single servers doing both
> authoratative and recursive DNS. These should be setup with either an
> allow-recursion { ACL;} statement or separate authoratative and recursive
> views limiting recursion to just those networks that should be sending
> recursive queries.
>
> Another option is to run separate services bound to different individual
> IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
> unbound for recursion.
>
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>