> > Anycast is a way to make the service generally available to as
> > many end-systems as want/need the service. So is multi-homing.
> > ... long term, what is important is the view that there is a
> > common namespace, not that there are special servers.
>
> sorry, that's just too deep for me today.
more eggnog. if the client can ensure that the data asked for
came from an authentic source and arrived intact, does it really
matter the path or intermediate nodes taken to get the data?
> > little, in practice, can make a DNS service ddos proof.
> > it can be done, but the side effects are worse than the cure.
>
> being "worse" begs the question "worse for whom?", and for many, the
> things that can be done to ddos-proof a service are not worse than the
> ddos problem. so i'll consider that you mean "worse for you" and i'll
> wait to hear why that's true in your situation. (it's not true in mine.)
ddos proof DNS service can be had in one way - don't run
DNS. - moving up from there, air-gaps, running the service
on non-networked interfaces, e.g. ::1, augmenting the DNS service
with "bodyguard" support services, e.g. ACLs, firewalls, router
filters ad.nasusa, use of strong crypto (signed data, transaction
signatures) et.al. ... everyone invites attacks by disaffected or
bored, the students trying to pass Dr. JBs classes, the vaguely
curious, the helpful, the application developers who optimise locally
at the expense of others, and the down-right hostile. if you run
DNS - they WILL come.
ddos resistant is a moving target. the techniques you use are based
on the deployment choices you make. they will not n'cssly be the
same as i, or anyone else, might use.
as usual, YMMV,
--bill
