[dns-operations] DNS Issue

Joe Abley jabley at hopcount.ca
Fri Apr 26 12:23:33 UTC 2013

On 2013-04-26, at 08:11, WBrown at e1b.org wrote:

>> From: "Dobbins, Roland" <rdobbins at arbor.net>
>> The actual problem being that the DNS servers oughtn't to be behind 
>> a firewall in the first place.
> Can you elaborate on your statement?  I can guess what the reaction around 
> here would be if I suggested it.

This list needs a FAQ. The following is the usual way this conversation pans out.

The assumption is that "firewall" means "device that keeps state". This could be a firewall, or a NAT, or an in-line DPI device, or something similar. We're not talking about stateless packet filters.

A DNS server can process 100,000 qps on only mildly modern iron. With typical query patterns, that means something approaching a capacity of 100,000 flows per second.

Your steady state query load may be much lower, but DNS servers have a habit of attracting flash crowds.

The number of stateful firewalls that can happily handle occasional flows of up to 100,000 flows per second two/from individual devices are few. "Yours probably isn't one of them."


More information about the dns-operations mailing list