On 14/09/16 20:41, Matthew Pounsett wrote:
Your best option is something that can do the job statelessly. As
Warren says, anything that keeps state (firewall, load balancer, etc.)
becomes a DoS target... or, at best, becomes the thing that runs out of
resources before your network or your DNS servers do.
Mostly that means using a routing protocol to do LAN-scope Anycast via
ECMP. ISC has a technote that explains how to do it.
Agreed. We use exaBGP to anycast our resolvers into our BGP routing
table and ECMP on top of that. Works well.
In the past we did a split - one resolver IP via anycast, one via
load-balancers, but TBH the heterogeneity didn't buy us anything, and
the SLB load was substantial, so we moved to all-anycast.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users