[dns-operations] Everyone having their own resolver
Matthew Ghali
mghali at snark.net
Thu Feb 4 02:02:56 UTC 2016
> On Feb 3, 2016, at 9:20 AM, Paul Hoffman <phoffman at proper.com> wrote:
>
> On 3 Feb 2016, at 7:41, Matthew Pounsett wrote:
>
>> The existing infrastructure can probably handle it initially, sure .. but expect your domain registrations and DNS hosting to be an order of magnitude more expensive. Much of the authoritative infrastructure has an overhead multiplier built into its capacity, where the multiplier is locally chosen based on the likelihood and impact of DDoS. Some infrastructures are built to handle over 100x the “normal” traffic load.
>>
>> When the normal query rate sees an order (or two) magnitude jump, it eats away that extra capacity built into the system, and everyone has to scale up to get back their DDoS-eating overhead.
>
> These are interesting bold statements, and I've heard similar over the past few years.
I’ll go a bit further..
If production providers are indeed provisioning DNS service with headroom of 100x normal query rate, a dramatic (citation needed?) order of magnitude increase in legitimate resolver traffic isn’t much of a problem. If you sit down and do the math, it calls for less than 10% additional capacity to handle an absolute worst-case scenario.
With the accuracy most of our measurement tools can provide, this is likely within the margin of error.
Now, whether or not the 100x headroom anecdote is correct can be debated; but as stated this seems like a bit of a straw man.
matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1597 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160203/e6d237df/attachment.bin>
More information about the dns-operations
mailing list