[dns-operations] CloudShield advices against dDoS

[Mike Jones]

On 20 February 2013 17:03, Joe Abley <jabley at hopcount.ca> wrote:
>
> On 2013-02-20, at 12:46, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
>> http://www.cloudshield.com/applications/dns-control-traffic-load.asp
>
> I think this particular "information security professional with more than 16 years of experience" is a bit confused. I tried hard to find something in there I agreed with, but I failed.

There are some very limited scenarios where some of his suggestions
might be acceptable if closely monitored by someone who has a clue
about DNS. Anyone who feels the need to read a 'how to set up your DNS
servers' type article like that should definately not be doing any of
the things on that list - every one of those suggestions will break
something in a hard to diagnose way and should never be done on a
production network without a full understanding of the implications.

It doesn't even make a distinction between recursive and authoratative
servers which are very different animals with very different traffic
patterns, it seems to flip back and forth between the 2 as if they
were one and the same - anyone writing about DNS should know to make
the distinction clear. Probably the most important and most basic bit
of 'security advice' for anyone setting up DNS servers is to keep
those roles separate, I don't see that in the article?

- Mike

(Yes I know there are legitimate cases where it's fine to combine
authoratitive and recursive roles, but if you can explain when and
where then you're probably not the target audience for the article)