Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread Jeff Aitken
On Tue, Aug 17, 2004 at 09:32:28PM +0200, [EMAIL PROTECTED] wrote: > > Hosts tend to be a faster writeoff cycle than routers in companies I've > > worked at, therefore getting the benefit of moores law about 25% faster > > than the routers. Turn on firewalling in the host. > > If you have a choi

Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread sthaug
> > this should be pushed to > > the router. don't waste CPU cycles > > on the Nameserver. > > Hosts tend to be a faster writeoff cycle than routers in companies I've > worked at, therefore getting the benefit of moores law about 25% faster > than the routers. Turn on firewalling i

Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread vijay gill
On Tue, Aug 17, 2004 at 03:57:17AM +, [EMAIL PROTECTED] wrote: > > 5. 'bogon'in BIND configuration could be used to > > filter requests from RFC1918 address; > > this should be pushed to > the router. don't waste CPU cycles > on the Nameserver. Hosts tend to be a faster

Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread sthaug
> What I'm not sure about ACL on router is, how to > survive DNS server under DoS/DDos attack. We suffered > from DoS attack last year, and we found the source IPs > of that attack locate in our customers IP address > blocks. ACL on router could only filter those traffic > not meaningful to DNS se

Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread Michael . Dillon
> >>Nope. Its -INFORMATIONAL- e.g. Not a Standard. > > > > P.S. That would be "i.e.". If you are going to argue semantic points, > > you should get your grammar right. =) > > I think "a Standard" was just an example of one of the things it is > not. It is also not a pressure washer, a s

Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread Joe Shen
Hi, > > in situation of DoS attack or situation of high > > session rate; > > Routers with hardware based access lists. No > problem. What I'm not sure about ACL on router is, how to survive DNS server under DoS/DDos attack. We suffered from DoS attack last year, and we found the source IPs of

Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread Joe Abley
On 17 Aug 2004, at 00:46, Patrick W Gilmore wrote: Nope. Its -INFORMATIONAL- e.g. Not a Standard. P.S. That would be "i.e.". If you are going to argue semantic points, you should get your grammar right. =) I think "a Standard" was just an example of one of the things it is not. It is also no

Re: Summary with further Question: Domain Name System protection

2004-08-17 Thread sthaug
> 1. ISPs use firewall to protect their DNS server; Depends. You don't normally need a full fledged (stateful) firewall. Normal (stateless) router access lists are just fine. > 2. ACL on router may be a good solution for protecting > DNS servers, the policy could be "only pass those > packets,

Re: Summary with further Question: Domain Name System protection

2004-08-16 Thread Patrick W Gilmore
On Aug 17, 2004, at 12:31 AM, [EMAIL PROTECTED] wrote: 4. Anycast is the most scalable and standard solution for dispersed DNS server farm, while layer-4 switch could deal could do with centralized server farm; its not a standard. , aka _Host Anycasti

Re: Summary with further Question: Domain Name System protection

2004-08-16 Thread bmanning
> >>4. Anycast is the most scalable and standard solution > >>for dispersed DNS server farm, while layer-4 switch > >>could deal could do with centralized server farm; > > > > its not a standard. > > , aka _Host Anycasting > Service_ > > Looks

Re: Summary with further Question: Domain Name System protection

2004-08-16 Thread Patrick W Gilmore
On Aug 16, 2004, at 11:57 PM, [EMAIL PROTECTED] wrote: 4. Anycast is the most scalable and standard solution for dispersed DNS server farm, while layer-4 switch could deal could do with centralized server farm; its not a standard. , aka _Host Anycasti

Re: Summary with further Question: Domain Name System protection

2004-08-16 Thread bmanning
> 1. ISPs use firewall to protect their DNS server; some do, some don't > 4. Anycast is the most scalable and standard solution > for dispersed DNS server farm, while layer-4 switch > could deal could do with centralized server farm; its not a standard. > 5. 'bogon'in BIND conf

Re: Summary with further Question: Domain Name System protection

2004-08-16 Thread Patrick W Gilmore
On Aug 16, 2004, at 11:03 PM, Joe Shen wrote: 3. Currently, it maybe a little difficult for firewall to filter DNS requests not conforming to DNS document; but, Nominum's product could; If you are looking for firewall-esque devices to protected name servers, look into Riverhead (purchased by cisco

Summary with further Question: Domain Name System protection

2004-08-16 Thread Joe Shen
Hi, thanks for your help on my question. After reading carefully those comments, I reach the following conclusion: 1. ISPs use firewall to protect their DNS server; 2. ACL on router may be a good solution for protecting DNS servers, the policy could be "only pass those packets, whose originat