North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Summary with further Question: Domain Name System protection
> 1. ISPs use firewall to protect their DNS server; some do, some don't > 4. Anycast is the most scalable and standard solution > for dispersed DNS server farm, while layer-4 switch > could deal could do with centralized server farm; its not a standard. > 5. 'bogon'in BIND configuration could be used to > filter requests from RFC1918 address; this should be pushed to the router. don't waste CPU cycles on the Nameserver. > 6. Firewall may become bottleneck of DNS server farm > in situation of DoS attack or situation of high > session rate; yes > 7. It's good solution to divide DNS servers into two > groups, one for recursive lookup the other for > no-recuresive; yes > 8. BIND should be configured carefully and there is > BIND secure template to follow altho the template will not meet every case. > a) If firewall is used to protect DNS server farm, > could it do more than router's ACL while reaching the > same performance-cost ratio ? which one is usually > chosen by those ISPs having big customer numbers? (we > noticed DNS requests from our customers keep increase > in past months) general rule - drop undesired traffic as far upstream as possible. > b) Is there any public available performance > evaluation on Nominum's product? you should check w/ the Nominum staff on any performance evaluations. > > Any of your words will be highly appreciated. > > Joe > > __________________________________________________ > Do You Yahoo!? > Download the latest ringtones, games, and more! > http://sg.mobile.yahoo.com
|