On Jan 2, 2014, at 4:22 PM, Eugeniu Patrascu <eu...@imacandi.net> wrote:
> FWIW, if you run your customers recursive resolvers on a Linux/*BSD box you > can setup iptables/pf in such a way that you only allow queries from > customers and from your resolver to the internet in a stateful way and deny > unrelated incoming "responses" and still have the same performance levels. Until someone DDoSes the box from one end or the other, taking down both authoritative service and recursive service at one fell swoop. That's one of the many reasons one's DNS ought to look something like this: <https://app.box.com/s/72bccbac1636714eb611> ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/