[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Sun Dec 29 07:00:07 EST 2013


On Dec 29, 2013, at 2:00 AM, MIke <mike-cisconsplist at tiedyenetworks.com> wrote:

> Open internet. I don't want to dictate to anyone which port numbers or protocols they are limited in using, and I want to impose only the absolute minimum of controls in order to deliver as much of an unfiltered / unrestricted service as I can.

Causing users to use your recursors by default, plus Open DNS and Google DNS, and with an opt-out proviso, does not in any way inhibit their ability to access the Internet, while doing so materially contributes to the security of your user base.

> That may be a wonderful design goal in theory, but our 'transit edge' as you call it, is a pair of linux boxen that do not have any effective interface for implementing policies or mitigation tools. 

In that case, unfortunately, nothing you do is going to matter, anyways, as even a very small DDoS attack can take those boxes down completely.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list