[dns-operations] omnibus reply (Re: solutions for DDoS mitigation of DNS)

Tessa Plum tessa at plum.ovh
Fri Apr 3 00:25:08 UTC 2020

Paul Vixie wrote:
> there is never a time when DNS RRL won't help, but it may not be_enough_.
> DNS RRL should be the default for all authority servers, subject to tuning,
> but never requiring knowledge or action by operators.
> if you turn on DNS RRL on an authority server that you didn't think was being
> abused or attacked, you will see a drop in your egress traffic.
> turn it on and keep it on. use the default recommended settings unless you're
> interested in operational research.
> once that's been done, solve whatever problems you still have, along the lines
> i explained last night:
> * subscribe to a "DDoS scrubbing service"
> * add more network capacity
> * use local anycast to increase the per-logical-server capacity
> * add more secondary servers
> open source DNS software and OSPF ECMP is adequate here, you do not need a
> commercial load balancer nor a commercial DNS appliance.
> again, DNS RRL has no downside. i hereby call upon all DNS vendors to make it
> their default.

Thanks Paul for this detailed answer and suggestions.


More information about the dns-operations mailing list