[c-nsp] rate limit dns

Nick Hilliard nick at foobar.org
Thu Jan 2 13:10:51 EST 2014


On 02/01/2014 17:32, Eugeniu Patrascu wrote:
> My reasoning on putting something stateful was to have it timeout
> connections in 2-3 seconds max (Windows for example has 2 sec. DNS server
> query timeout).

there's no reason to maintain state in two places (firewall + dns server)
when only one is necessary.  You're only introducing an extra failure
vector.  Besides which, when your firewall table runs out of slots, the
failure mode is catastrophic.

Best to separate auth + resolver to separate systems and run stateless
packet filters in front of both, with permit for tcp/udp port 53 + the
usual other things.

Nick



More information about the cisco-nsp mailing list