North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Domain Name System protection

  • From: Bill Woodcock
  • Date: Mon Aug 16 01:25:41 2004

    > 1. Is that really required to protect DNS server by
    > firewall?

Yes, it's a very, very good idea to do so.

    > How does those ISPs, e.g. AT&T, Sprint,mae
    > their DNS system highly available?

By protecting it with a firewall.  :-)

    > Could we do that
    > by filtering traffic besides port destinated to port
    > 53?

Yes, exactly.  And possibly also by creating two different pools of DNS
servers: one pool which is accessible from everywhere, and which is
authoritative for your and your customers' domains; the other which is
accessible only to your customers, and which performs recursive resolution
on their behalf.

    > 2. How could we extend our server farm by adding new
    > servers while announcing the same IP addresses to our
    > customers?

By doing exactly that.  Sharing one IP address across many servers is
called "anycast" and is standard practice for DNS service provision.

    > 4. Which hardware/OS platform is better for DNS
    > service?

The combination you've got, Solaris 8 and BIND 9, is fine.  Some people
would use other DNS server software, and some people would use FreeBSD or
NetBSD, but you've got a very mainstream combination.  We run Solaris 9
and Bind 9 on about forty DNS servers, for instance.

    > 5. Is that possible to filter those requests not
    > conforming to DNS documents?

That's a lot tougher.  Are you asking whether it's possible to have an
application-layer firewall screen out mal-formed requests _before they get
to your DNS server_?  That's theoretically possible, but I don't know of
anyone who does it.  Once the queries have arrived at the DNS server, the
DNS server application may be able to filter them in different ways, and
discard different classes of queries with different kinds of logging or
notification.

                                -Bill