[dns-operations] Continued weekly DDoS fun

Matthew Pounsett matt.pounsett at cira.ca
Mon Jan 12 17:48:51 UTC 2009


On 12-Jan-2009, at 12:35 , Joe Abley wrote:

>
> Have you considered reducing the number of zones each nameserver is  
> authoritative for (and presumably vastly increasing the number of  
> available servers) so that you can isolate individual servers under  
> attack and protect the rest of your users?

If you have a large number of zones, a trick that could work in tandem  
with some expansion is to mesh your zone layout a bit.

NS 1  - Hosts Zone 1 and Zone 2
NS 2  - Hosts Zone 2 and Zone 3
NS 3  - Hosts Zone 3 and Zone 1.

If Server 2 and 3 come under attack, then you know with some certainty  
that it's likely Zone 3 attracting the unwanted attention.  You can  
get more certainty with less capital expansion, but at the cost of  
operational complexity... how much extra operational complexity  
depends on the number of zones you have and how often you add/remove  
zones.

Matt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090112/9484f527/attachment.sig>


More information about the dns-operations mailing list