8 Aug
2025
8 Aug
'25
12:12 p.m.
On Aug 7, 2025, at 9:41 PM, John Todd via NANOG <nanog@lists.nanog.org> wrote:
we split traffic on the "back-end" between PowerDNS recursor and Unbound
Using multiple products is definitely best practice. At my company, we have half of our (anycasted) authoritative DNS servers using BIND, and the other half using PowerDNS. If you don't do this, you can be vulnerable to something like CVE-2025-40775, where an attacker can terminate all your DNS servers simultaneously by sending each a malicious packet. Or maybe there's some other bug in the software that makes it randomly crash at a certain time. If this happens, you want to make sure that only half of them go offline. -- Robert L Mathews