[dns-operations] security with a firewall

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Wed May 15 17:05:47 UTC 2013


I've been told that we can't implement BCP38 because its actually an egress filtering....its only ingress from the perspective of the ISP and its downstream customers....to DNS operators, that the ISPs need to implement.  Since it is to prevent source address that aren't in the netblock of its downstream customer from being forwarded into the Internet.

But outside our border is the whole Internet....so as long as the source address is valid and not us...how would we tell that its being spoofed?

----- Original Message -----
> On 15 May 2013 09:13, fenghe <fenghe at dnsbed.com> wrote:
> > Does a hardware firewall help to defend the DNS attack?
> > If so what's the suggested policy/rules?
> 
> Chances are your firewall will break long before your DNS server is
> overwhelmed.
> 
> DNS traffic should not be firewalled, the number of UDP transactions
> will very rapidly use up lots of sessions and cripple the firewall.
> Instead proper ingress filtering (BCP38) should be used on the
> network
> to prevent spoofed traffic from ever getting anywhere near your DNS
> servers.
> _______________________________________________



More information about the dns-operations mailing list