Paul Vixie wrote:
there is never a time when DNS RRL won't help, but it may not be_enough_. DNS RRL should be the default for all authority servers, subject to tuning, but never requiring knowledge or action by operators. if you turn on DNS RRL on an authority server that you didn't think was being abused or attacked, you will see a drop in your egress traffic. turn it on and keep it on. use the default recommended settings unless you're interested in operational research. once that's been done, solve whatever problems you still have, along the lines i explained last night: * subscribe to a "DDoS scrubbing service" * add more network capacity * use local anycast to increase the per-logical-server capacity * add more secondary servers open source DNS software and OSPF ECMP is adequate here, you do not need a commercial load balancer nor a commercial DNS appliance. again, DNS RRL has no downside. i hereby call upon all DNS vendors to make it their default.
Thanks Paul for this detailed answer and suggestions. regards. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
