<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:#606420;
text-decoration:underline;}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-CA link=blue vlink="#606420">
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>First, let me introduce myself. I work on the ISP side of </span></font><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Bell</span></font><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> </span></font><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Canada</span></font><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>, and have
recently been given the job of “hardening” our DNS infrastructure,
I’ve been following the ongoing discussions on this list with
interest.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I’m interested in best practices around DNS security,
and more specifically what has been found to be effective in both detecting and
preventing attacks against DNS. </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>A few questions that will hopefully generate some discussion.
</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>What have you found is the most effective way to prevent recursive
queries from foreign address space against your DNS servers?. DNS ACLs,
Firewall ACLs or Router ACLs; have you found one of these to be more effective
or easier to manage? </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Are you running firewalls in front of your DNS servers? If
so are they effective? Are there any DNS specific problems with firewalls to be
aware of?</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Are you using Intrusion Detection Systems to detect DNS specific
attacks? Has this been effective? </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any other suggestions or best practices you believe the rest
of the DNS community should be following?</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Caleb</span></font></p>
</div>
</body>
</html>