[dns-operations] A dns-proxy for DNS over HTTP(s)

Ken Peng kpeng at runbox.com
Thu Aug 27 01:40:06 UTC 2015


 From my very own viewpoints DNS is too weak to be attacked these days.
It should be upgraded at both protocol level and system implementation. 
Why don't consider upgrade to TCP? it's far more easy to defend the systems.
As a DNS service provider we are tired to handle all kinds of attacks 
each day. This is not good for both us and the customers.

Thanks.


On 2015/8/27 星期四 8:02, Paul Vixie wrote:
>
>
> Roland Dobbins wrote:
>> On 26 Aug 2015, at 20:16, Ken Peng wrote:
>>
>>> Do you have the suggestions on general DNS defending?
>>
>> ACLs to keep out-of-profile traffic off the servers (they're different
>> for authoritative vs. recursive servers); RRL for authoritative
>> servers; logical separation of authoritative and recursive servers;
>> S/RTBH or flowspec; dnsdist; astute use of RPZ; tuning DNS servers
>> (both the named itself and the OS/IP stack) to handle lots of TCP; the
>> use of intelligent DDoS mitigation systems (IDMSes) to protect DNS
>> servers (there are both open-source and commercial options; full
>> disclosure, I work for a vendor of such solutions).
>
> yow. that's a great list. i found RFC 5358 but the rest seems not to be
> well publicized. i suspect ("hope") that joe abley is about to reach out
> to you offering to co-author a DNSOP i-d which explains all of those
> methods in detail.
>



More information about the dns-operations mailing list