[dns-operations] A dns-proxy for DNS over HTTP(s)

Roland Dobbins rdobbins at arbor.net
Wed Aug 26 10:55:32 UTC 2015


On 26 Aug 2015, at 20:16, Ken Peng wrote:

> Do you have the suggestions on general DNS defending?

ACLs to keep out-of-profile traffic off the servers (they're different 
for authoritative vs. recursive servers); RRL for authoritative servers; 
logical separation of authoritative and recursive servers; S/RTBH or 
flowspec; dnsdist; astute use of RPZ; tuning DNS servers (both the named 
itself and the OS/IP stack) to handle lots of TCP; the use of 
intelligent DDoS mitigation systems (IDMSes) to protect DNS servers 
(there are both open-source and commercial options; full disclosure, I 
work for a vendor of such solutions).

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the dns-operations mailing list