[dns-operations] solutions for DDoS mitigation of DNS

Tessa Plum tessa at plum.ovh
Fri Apr 3 08:18:40 UTC 2020

Hi Steve

I am so appreciate to get your kind private message, though I would like 
to reply my content to the list.

We are running authoritative name servers only, zone data are for the 
university only.

When the attack happened, the bandwidth watched in our gateway was about 
20Gbps. That made name servers totally no response. Each name server has 
only 1Gbps interface to internet, so it dies.

We were considering the actions:
1. increase bandwidth to both inbound gateway and vlan for nameservers.
2. upgrade the network interface of nameserver to 10Gbps.
3. run multiple servers as cluster.
4. try to get a commercial device to analyst and stop such kind of attack.
5. enable RRL when attack happens.
6. I will try to suggest administrator to run secondary nameservers on 
professional hosting, such as cloudflare, Akamai, AWS route 53 etc.
   (also easyDNS, DNSimple, DNSMadeEasy, NS1 can be considered?)

How do you think of them?

Thank you.


More information about the dns-operations mailing list