[dns-operations] DNS ANY requests from Amazon?

Paul Vixie paul at redbarn.org
Tue Dec 18 15:30:47 UTC 2012

On 12/18/2012 9:12 AM, Dobbins, Roland wrote:
> On Dec 18, 2012, at 5:44 AM, Vernon Schryver wrote:
>> Yes, you could do response rate limiting (RRL) within an application aware firewall by have the firewall do almost of all of the work of your DNS server. 
> The 'application-aware firewall' will collapse from state-table exhaustion, however, so this likely isn't a very good idea.

i don't think that follows. RRL is designed in a way that keeps state
manageably finite. in speaking to the cloudshield folks and learning
more about "packetC" i think RRL can be done as part of a really smart
front end firewall.


More information about the dns-operations mailing list