On 20 February 2013 17:03, Joe Abley <[email protected]> wrote: > > On 2013-02-20, at 12:46, Stephane Bortzmeyer <[email protected]> wrote: > >> http://www.cloudshield.com/applications/dns-control-traffic-load.asp > > I think this particular "information security professional with more than 16 > years of experience" is a bit confused. I tried hard to find something in > there I agreed with, but I failed.
There are some very limited scenarios where some of his suggestions might be acceptable if closely monitored by someone who has a clue about DNS. Anyone who feels the need to read a 'how to set up your DNS servers' type article like that should definately not be doing any of the things on that list - every one of those suggestions will break something in a hard to diagnose way and should never be done on a production network without a full understanding of the implications. It doesn't even make a distinction between recursive and authoratative servers which are very different animals with very different traffic patterns, it seems to flip back and forth between the 2 as if they were one and the same - anyone writing about DNS should know to make the distinction clear. Probably the most important and most basic bit of 'security advice' for anyone setting up DNS servers is to keep those roles separate, I don't see that in the article? - Mike (Yes I know there are legitimate cases where it's fine to combine authoratitive and recursive roles, but if you can explain when and where then you're probably not the target audience for the article) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
