[dns-operations] A dns-proxy for DNS over HTTP(s)
Paul Vixie
paul at redbarn.org
Thu Aug 27 00:02:08 UTC 2015
Roland Dobbins wrote:
> On 26 Aug 2015, at 20:16, Ken Peng wrote:
>
>> Do you have the suggestions on general DNS defending?
>
> ACLs to keep out-of-profile traffic off the servers (they're different
> for authoritative vs. recursive servers); RRL for authoritative
> servers; logical separation of authoritative and recursive servers;
> S/RTBH or flowspec; dnsdist; astute use of RPZ; tuning DNS servers
> (both the named itself and the OS/IP stack) to handle lots of TCP; the
> use of intelligent DDoS mitigation systems (IDMSes) to protect DNS
> servers (there are both open-source and commercial options; full
> disclosure, I work for a vendor of such solutions).
yow. that's a great list. i found RFC 5358 but the rest seems not to be
well publicized. i suspect ("hope") that joe abley is about to reach out
to you offering to co-author a DNSOP i-d which explains all of those
methods in detail.
--
Paul Vixie
More information about the dns-operations
mailing list