1. ISPs use firewall to protect their DNS server;
some do, some don't
4. Anycast is the most scalable and standard solution for dispersed DNS server farm, while layer-4 switch could deal could do with centralized server farm;
its not a standard.
5. 'bogon'in BIND configuration could be used to filter requests from RFC1918 address;
this should be pushed to the router. don't waste CPU cycles on the Nameserver.
6. Firewall may become bottleneck of DNS server farm in situation of DoS attack or situation of high session rate;
yes
7. It's good solution to divide DNS servers into two groups, one for recursive lookup the other for no-recuresive;
yes
8. BIND should be configured carefully and there is BIND secure template to follow
altho the template will not meet every case.
a) If firewall is used to protect DNS server farm, could it do more than router's ACL while reaching the same performance-cost ratio ? which one is usually chosen by those ISPs having big customer numbers? (we noticed DNS requests from our customers keep increase in past months)
general rule - drop undesired traffic as far upstream as possible.
b) Is there any public available performance evaluation on Nominum's product?
you should check w/ the Nominum staff on any performance evaluations.
Any of your words will be highly appreciated.
Joe
__________________________________________________ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com