On 2013-04-26, at 08:11, [email protected] wrote: >> From: "Dobbins, Roland" <[email protected]> > >> The actual problem being that the DNS servers oughtn't to be behind >> a firewall in the first place. > > Can you elaborate on your statement? I can guess what the reaction around > here would be if I suggested it.
This list needs a FAQ. The following is the usual way this conversation pans out. The assumption is that "firewall" means "device that keeps state". This could be a firewall, or a NAT, or an in-line DPI device, or something similar. We're not talking about stateless packet filters. A DNS server can process 100,000 qps on only mildly modern iron. With typical query patterns, that means something approaching a capacity of 100,000 flows per second. Your steady state query load may be much lower, but DNS servers have a habit of attracting flash crowds. The number of stateful firewalls that can happily handle occasional flows of up to 100,000 flows per second two/from individual devices are few. "Yours probably isn't one of them." Joe _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
