[dns-operations] solutions for DDoS mitigation of DNS
tessa at plum.ovh
Fri Apr 3 08:18:40 UTC 2020
I am so appreciate to get your kind private message, though I would like
to reply my content to the list.
We are running authoritative name servers only, zone data are for the
When the attack happened, the bandwidth watched in our gateway was about
20Gbps. That made name servers totally no response. Each name server has
only 1Gbps interface to internet, so it dies.
We were considering the actions:
1. increase bandwidth to both inbound gateway and vlan for nameservers.
2. upgrade the network interface of nameserver to 10Gbps.
3. run multiple servers as cluster.
4. try to get a commercial device to analyst and stop such kind of attack.
5. enable RRL when attack happens.
6. I will try to suggest administrator to run secondary nameservers on
professional hosting, such as cloudflare, Akamai, AWS route 53 etc.
(also easyDNS, DNSimple, DNSMadeEasy, NS1 can be considered?)
How do you think of them?
More information about the dns-operations