Yeah, As a person that in my $dailyjob builds hardware firewalls (so called NGFWs but also "SP class" boxes), I can assure you properly configured DNS servers can absolutely defend themselves. If they need protection, you're doing it wrong. And there are design choices (load balancers, ECMP/UCMP, anycast) that makes these designs scale and switch over without any problems if additional "capabilities" don't go in their way. Adding stateful firewall in front of them is waste of good hardware. More over, if you insist on doing so, you'll likely suffer from state exhaustion or self-DDoS at one point in time. That typically leads you to blame firewall vendor, and not your poor thinking, design or planning skills. Don't do that. KISS is decent design practice. Doing "tricks" with firewall may be relevant to Enterprise type of deployment, where "fusing" DNS info with other pieces (identity, data plane telemetry, etc) is typically element of your security architecture (and defense). What is way more useful for layered defence is applying QoS on upstream switch/router if it is enforced in hardware. "QoS" as expressed in maximum packets/second (which are roughly requests), not as in bits/second (which is pretty useless). That is, if you do know your rough levels exceeding which makes your server behave in less stable/predictable way. This is hardly unique or innovative though. I did deploy myself, and helped others to deploy FreeBSD-based BIND and nsd+unbound anycasted DNS servers. Biggest one (two pairs of Xeon based servers) was handling requests from ~3 million users while mostly idling last time I checked. And that was couple of years ago. I know it's still in production and handling "more". The only firewall they have is pf with pretty generic set of rules to drop host attacks and protect management access, DNS traffic is unfiltered as it doesn't make any sense. -- ./
On 8 Aug 2025, at 18:20, Nick Hilliard via NANOG <nanog@lists.nanog.org> wrote:
Mel Beckman wrote on 08/08/2025 17:08:
Appropriately sized, HA firewall pairs mitigate this pretty handily.
Mel,
Please don't let me stop you from doing this. The failure modes are really quite entertaining, at least from a distance. Anyone got popcorn?
Nick _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H5WQB2KF...