[dns-operations] DNS Amplification Attacks

Joe St Sauver joe at oregon.uoregon.edu
Tue Mar 21 21:28:26 UTC 2006

Paul mentioned:

#the reason i mostly heard a few weeks back was mobility.  IT departments like
#to be able to send staffers home or on travel with laptops that are wired up
#to use the IT department's nameservers, overriding any local DHCP offerings.

VPN support would trivially handle that. We've had really good luck with the
Cisco 3000's locally (PC and Mac users) for a number of years now; see
http://cc.uoregon.edu/cnews/spring2002/vpn.html  Just works. They even have 
a client for Intel OS X boxes now. :-)

[Disclaimer: no financial interest in Cisco; mention of this product is made 
as an example of one solution in this space and is not meant to imply that 
there aren't equally good/better/worse alternative products that one could 
also try, etc., etc. -- this just happens to be the one we're using]

[2nd Disclaimer: obviously you can undercut all this if you configure the VPN
to do split DNS, etc., but we're assuming that you're not doing that if 
use of the enterprise DNS servers is a big deal for you/your users]

[Also stipulated: this is not a zero cost solution. However, if you are an 
organization providing laptops to staff, you already know that those aren't 
free either (although some of them are admittedly getting amazingly cheap, 
as I outlined at http://cc.uoregon.edu/cnews/winter2006/budgetlaptop.htm )]


Joe St Sauver (joe at oregon.uoregon.edu)

More information about the dns-operations mailing list