[dns-operations] omnibus reply (Re: solutions for DDoS mitigation of DNS)
Tessa Plum
tessa at plum.ovh
Fri Apr 3 00:25:08 UTC 2020
Paul Vixie wrote:
> there is never a time when DNS RRL won't help, but it may not be_enough_.
>
> DNS RRL should be the default for all authority servers, subject to tuning,
> but never requiring knowledge or action by operators.
>
> if you turn on DNS RRL on an authority server that you didn't think was being
> abused or attacked, you will see a drop in your egress traffic.
>
> turn it on and keep it on. use the default recommended settings unless you're
> interested in operational research.
>
> once that's been done, solve whatever problems you still have, along the lines
> i explained last night:
>
> * subscribe to a "DDoS scrubbing service"
>
> * add more network capacity
>
> * use local anycast to increase the per-logical-server capacity
>
> * add more secondary servers
>
> open source DNS software and OSPF ECMP is adequate here, you do not need a
> commercial load balancer nor a commercial DNS appliance.
>
> again, DNS RRL has no downside. i hereby call upon all DNS vendors to make it
> their default.
Thanks Paul for this detailed answer and suggestions.
regards.
More information about the dns-operations
mailing list