[c-nsp] rate limit dns
Dobbins, Roland
rdobbins at arbor.net
Fri Dec 27 03:24:55 EST 2013
On Dec 27, 2013, at 10:55 AM, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
> Can anyone suggest how we might tighten this up and either have a seperate rate limit list or somehow exclude my small list of resolver IP's from the above limiting?
Using any QoS mechanism, let alone an old, obsolete, unmaintained one like CAR, to deal with DDoS isn't a good idea - programmatically-generated attack traffic can 'crowd out' legitimate traffic.
Why are you allowing DNS responses from outside your network to your subscribers at all, excepting Google DNS, OpenDNS, and anything specifically arranged for specific customers (the assumption is that you're running a consumer broadband access network)?
Also, you should have sufficient layer-3 hierarchy in your network to have the ability deploy policies/mitigation tools at your transit edge which do not affect your customer aggregation edge, and vice versa. If you don't currently have separation of these topological roles, then implementing same should be a priority.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list