[dns-operations] does it matter when nameserver recs have non-matching PTRs ?
Mark Jeftovic
markjr at easydns.com
Sat Aug 1 19:15:22 UTC 2015
On 2015-08-01 2:33 PM, Roland Dobbins wrote:
>
> On 2 Aug 2015, at 0:03, Mark Jeftovic wrote:
>
>> DNS ops for ns1.example.com change it's IP to route queries to another
>> location, say: ddos1.example.com
>
> The attack will just follow it to the new IP address and pummel *that*.
> Sometimes automagically due to automation in the attack tools, sometimes
> after a delay when the attacker checks manually.
>
> Moving IP addresses around hasn't been a valid DDoS defense tactic for
> about 15 years, now.
>
It works just fine when ddos1.example.com is sitting inside a scrubbing
center of a competent DDoS mitigation outfit.
We do this all the time with Zoneedit, and in a slightly different way
with easyDNS (in the former we move the IPs in the latter we shift our
BGP announcements)
- mark
--
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read My Blog: http://markable.com
+1-416-535-8672 ext 225
More information about the dns-operations
mailing list