|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Summary with further Question: Domain Name System protection
Hi, > > in situation of DoS attack or situation of high > > session rate; > > Routers with hardware based access lists. No > problem. What I'm not sure about ACL on router is, how to survive DNS server under DoS/DDos attack. We suffered from DoS attack last year, and we found the source IPs of that attack locate in our customers IP address blocks. ACL on router could only filter those traffic not meaningful to DNS server, but how about those DDoS attacking packets? > > We currently have the Nominum CNS on trial here, and > we are very > impressed. It performs much better than BIND 8/9 - > our measurements > show even greater differences than Brad Knowles' > tests. Example: One > server running BIND 9 shows more than 30% CPU usage > during peak hours, > but only 2-3% with Nominum CNS. We also have the > issue that BIND 9 > seems to start *failing* when it reaches a certain > cache size (as in: > Some queries are either not answered at all, or they > are answered > with SERVFAIL). > Impressive! What's the peak value of concurrent DNS requests in your trial? Thanks. Joe __________________________________________________ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
|