[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Mon Dec 30 21:12:34 EST 2013


On Dec 31, 2013, at 1:27 AM, Mack McBride <mack.mcbride at viawest.com> wrote:

> Phishing has little to do with DNS per se.

Some does, actually.

> BUT, forcing customers to use your DNS results in the possibility of all of your customers suffering in a DDoS situation where your DNS servers are targeted.

If your first-line recursive DNS servers are configured correctly, then they can't be DDoSed directly from outside your network, and it's easy enough to squelch attacks originating from within your network via S/RTBH or other mitigation mechanisms.  There are mitigation mechanisms to protect the upper tier of external resolvers which feed the first-tier resolvers, as well.

What part of allowing Google DNS and OpenDNS by default wasn't clear?

Also, note that policies can be altered, if circumstances warrant.  But any network operator which doesn't have the capability defend its own recursive DNS servers from DDoS attacks should take steps to implement S/RTBH, et. al.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list