[c-nsp] rate limit dns
Dobbins, Roland
rdobbins at arbor.net
Thu Jan 2 04:29:49 EST 2014
On Jan 2, 2014, at 4:22 PM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
> FWIW, if you run your customers recursive resolvers on a Linux/*BSD box you can setup iptables/pf in such a way that you only allow queries from customers and from your resolver to the internet in a stateful way and deny unrelated incoming "responses" and still have the same performance levels.
Until someone DDoSes the box from one end or the other, taking down both authoritative service and recursive service at one fell swoop.
That's one of the many reasons one's DNS ought to look something like this:
<https://app.box.com/s/72bccbac1636714eb611>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list