[dns-operations] does it matter when nameserver recs have non-matching PTRs ?

Mark Jeftovic markjr at easydns.com
Sat Aug 1 19:15:22 UTC 2015

On 2015-08-01 2:33 PM, Roland Dobbins wrote:
> On 2 Aug 2015, at 0:03, Mark Jeftovic wrote:
>> DNS ops for ns1.example.com change it's IP to route queries to another
>> location, say: ddos1.example.com
> The attack will just follow it to the new IP address and pummel *that*. 
> Sometimes automagically due to automation in the attack tools, sometimes
> after a delay when the attacker checks manually.
> Moving IP addresses around hasn't been a valid DDoS defense tactic for
> about 15 years, now.

It works just fine when ddos1.example.com is sitting inside a scrubbing
center of a competent DDoS mitigation outfit.

We do this all the time with Zoneedit, and in a slightly different way
with easyDNS (in the former we move the IPs in the latter we shift our
BGP announcements)

- mark

Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read My Blog:    http://markable.com
+1-416-535-8672 ext 225

More information about the dns-operations mailing list