[dns-operations] Natting DNS farm behind LB - using priv ip space.

Dobbins, Roland rdobbins at arbor.net
Fri Jun 17 11:48:18 UTC 2011

On Jun 17, 2011, at 6:34 PM, Florian Weimer wrote:

> I'm pretty sure address translation is part of many traffic scrubbing devices and services, so you're grossly oversimplifying. 8-)

It's part of traffic scrubbing devices and services which carry a lot of dangerous state.

It's a Very Bad Idea; I've seen NATted servers go down under extremely small DDoS attacks which wouldn'tve caused a problem for the naked servers themselves.  Stateful devices in front of servers should be avoided; if stateful load-balancers are used, they must be protected by S/SRTBH, flowspec, IDMS, et. al.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde

More information about the dns-operations mailing list