[dns-operations] A dns-proxy for DNS over HTTP(s)
Roland Dobbins
rdobbins at arbor.net
Wed Aug 26 10:55:32 UTC 2015
On 26 Aug 2015, at 20:16, Ken Peng wrote:
> Do you have the suggestions on general DNS defending?
ACLs to keep out-of-profile traffic off the servers (they're different
for authoritative vs. recursive servers); RRL for authoritative servers;
logical separation of authoritative and recursive servers; S/RTBH or
flowspec; dnsdist; astute use of RPZ; tuning DNS servers (both the named
itself and the OS/IP stack) to handle lots of TCP; the use of
intelligent DDoS mitigation systems (IDMSes) to protect DNS servers
(there are both open-source and commercial options; full disclosure, I
work for a vendor of such solutions).
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list