> 1. ISPs use firewall to protect their DNS server; Depends. You don't normally need a full fledged (stateful) firewall. Normal (stateless) router access lists are just fine.
> 2. ACL on router may be a good solution for protecting > DNS servers, the policy could be "only pass those > packets, whose originate from incustomers' IP address > blocks and destinate to UDP port 53 of DNS server"; In general, allow only relevant traffic. That may be a bit more than just UDP port 53: You really want to allow TCP based DNS queries also, and your name server probably needs SSH, NTP and similar. > 5. 'bogon'in BIND configuration could be used to > filter requests from RFC1918 address; Better to do it on the router. > 6. Firewall may become bottleneck of DNS server farm > in situation of DoS attack or situation of high > session rate; Routers with hardware based access lists. No problem. > b) Is there any public available performance > evaluation on Nominum's product? See Brad Knowles' tests: http://www.ripe.net/ripe/meetings/archive/ripe-44/presentations/ripe44-dns-dnscomp.pdf We currently have the Nominum CNS on trial here, and we are very impressed. It performs much better than BIND 8/9 - our measurements show even greater differences than Brad Knowles' tests. Example: One server running BIND 9 shows more than 30% CPU usage during peak hours, but only 2-3% with Nominum CNS. We also have the issue that BIND 9 seems to start *failing* when it reaches a certain cache size (as in: Some queries are either not answered at all, or they are answered with SERVFAIL). Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]