Colm MacCárthaigh (colm) writes:
>
> With the greatest of respect; that thinking is itself simplistic.
> Where I work we concentrate on writing very good firewalls. Sometimes
> these rules even have to parse DNS, just as the DNS server must ...
> which causes duplication of work. We do this for several reasons;
[valid arguments trimmed]
> During real attacks, if a packet makes it to the dns server, the game is
> already lost.
If you've got a cluster of anycast boxes behind a set of stateful
firewalls, chances are you'll run out of states way before you exhaust
what the DNS farm is capable of pushing out. At least that's what I've
seen. Common wisdom is to let the DNS server deal with it, but I don't
work where you work :)
Cheers,
Phil
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
