[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Thu Jan 2 04:29:49 EST 2014


On Jan 2, 2014, at 4:22 PM, Eugeniu Patrascu <eugen at imacandi.net> wrote:

> FWIW, if you run your customers recursive resolvers on a Linux/*BSD box you can setup iptables/pf in such a way that you only allow queries from customers and from your resolver to the internet in a stateful way and deny unrelated incoming "responses" and still have the same performance levels.

Until someone DDoSes the box from one end or the other, taking down both authoritative service and recursive service at one fell swoop.

That's one of the many reasons one's DNS ought to look something like this:

<https://app.box.com/s/72bccbac1636714eb611>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list