> From: "Dobbins, Roland" <rdobb...@arbor.net> > Sure, but RRL isn't the issue; it's all the rest of what 'application > firewalls' do which causes them to choke. I've yet to see one which > doesn't choke under even moderate DDoS, and have never seen one which > implements any form of classification in a stateless or minimized-state > manner.
It's well known that Roland Dobbins doesn't think much of application firewalls or stateful firewalls in general. I also don't think much of application firewalls, and not only because the FUD that is much of their brochures, the never ending broken vendor promises, or the exaggerated performace. I've been grumbling since tcp wrappers first appeared that application firewalls are usually poor bandaids for stupid application security holes that could (and should) be more securely and cheaply fixed in the applications. But all of those criticisms are irrelevant to what hypothetical firewalls might do for current and foreseeable DNS security issues. That currently popular firewalls can't cope or do only stupid stuff like ANY filtering doesn't justify rejecting firewalls for reflection attacks on principle. Besides, DoS attacks on DNS servers themselves (as opposed to using DNS servers to attack others) are best handled outside in smart (e.g. sane state table management) application firewalls. It's not good for a DNS server to discard excessive (relative to the server's own resources) requests. By the time a request can be discarded by the server, too many local resources have been burned. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs