[dns-operations] Natting DNS farm behind LB - using priv ip space.
Dobbins, Roland
rdobbins at arbor.net
Fri Jun 17 11:48:18 UTC 2011
On Jun 17, 2011, at 6:34 PM, Florian Weimer wrote:
> I'm pretty sure address translation is part of many traffic scrubbing devices and services, so you're grossly oversimplifying. 8-)
It's part of traffic scrubbing devices and services which carry a lot of dangerous state.
It's a Very Bad Idea; I've seen NATted servers go down under extremely small DDoS attacks which wouldn'tve caused a problem for the naked servers themselves. Stateful devices in front of servers should be avoided; if stateful load-balancers are used, they must be protected by S/SRTBH, flowspec, IDMS, et. al.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
More information about the dns-operations
mailing list