Recursive servers have to be able to receive responses from anywhere on the internet. There is no way to configure that so it can't be flooded off of the internet.
Nor can RTBH stop a true DDoS. That is the 'distributed' part that is the first D. Nor will it stop a reflection attack, which is even more damaging because then you are blocking important authoritative DNS servers. Using teirs of recursive resolvers doesn't help. Using distributed resolvers might depending on the nature of the attack. As an ISP operator, I can tell you that your solution will only work for someone whose customers can't leave for another provider. Mack McBride | Network Architect | ViaWest, Inc. O: 720.891.2502 | mack.mcbr...@viawest.com | www.viawest.com | LinkedIn | Twitter | YouTube -----Original Message----- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dobbins, Roland Sent: Monday, December 30, 2013 7:13 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] rate limit dns On Dec 31, 2013, at 1:27 AM, Mack McBride <mack.mcbr...@viawest.com> wrote: > Phishing has little to do with DNS per se. Some does, actually. > BUT, forcing customers to use your DNS results in the possibility of all of > your customers suffering in a DDoS situation where your DNS servers are > targeted. If your first-line recursive DNS servers are configured correctly, then they can't be DDoSed directly from outside your network, and it's easy enough to squelch attacks originating from within your network via S/RTBH or other mitigation mechanisms. There are mitigation mechanisms to protect the upper tier of external resolvers which feed the first-tier resolvers, as well. What part of allowing Google DNS and OpenDNS by default wasn't clear? Also, note that policies can be altered, if circumstances warrant. But any network operator which doesn't have the capability defend its own recursive DNS servers from DDoS attacks should take steps to implement S/RTBH, et. al. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/