[dns-operations] Continued weekly DDoS fun
Matthew Pounsett
matt.pounsett at cira.ca
Mon Jan 12 17:48:51 UTC 2009
On 12-Jan-2009, at 12:35 , Joe Abley wrote:
>
> Have you considered reducing the number of zones each nameserver is
> authoritative for (and presumably vastly increasing the number of
> available servers) so that you can isolate individual servers under
> attack and protect the rest of your users?
If you have a large number of zones, a trick that could work in tandem
with some expansion is to mesh your zone layout a bit.
NS 1 - Hosts Zone 1 and Zone 2
NS 2 - Hosts Zone 2 and Zone 3
NS 3 - Hosts Zone 3 and Zone 1.
If Server 2 and 3 come under attack, then you know with some certainty
that it's likely Zone 3 attracting the unwanted attention. You can
get more certainty with less capital expansion, but at the cost of
operational complexity... how much extra operational complexity
depends on the number of zones you have and how often you add/remove
zones.
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090112/9484f527/attachment.sig>
More information about the dns-operations
mailing list