[dns-operations] DNS Issue
Joe Abley
jabley at hopcount.ca
Fri Apr 26 12:23:33 UTC 2013
On 2013-04-26, at 08:11, WBrown at e1b.org wrote:
>> From: "Dobbins, Roland" <rdobbins at arbor.net>
>
>> The actual problem being that the DNS servers oughtn't to be behind
>> a firewall in the first place.
>
> Can you elaborate on your statement? I can guess what the reaction around
> here would be if I suggested it.
This list needs a FAQ. The following is the usual way this conversation pans out.
The assumption is that "firewall" means "device that keeps state". This could be a firewall, or a NAT, or an in-line DPI device, or something similar. We're not talking about stateless packet filters.
A DNS server can process 100,000 qps on only mildly modern iron. With typical query patterns, that means something approaching a capacity of 100,000 flows per second.
Your steady state query load may be much lower, but DNS servers have a habit of attracting flash crowds.
The number of stateful firewalls that can happily handle occasional flows of up to 100,000 flows per second two/from individual devices are few. "Yours probably isn't one of them."
Joe
More information about the dns-operations
mailing list