With these types of attacks, usually anycast will cause rolling outages. Anycast gives you failover, which makes sure the attack (and good) traffic makes it to the next available server to be impaired or taken offline. On Jul 30, 2011, at 1:01 PM, Alex Nderitu <nderitualex@gmail.com> wrote:
Dns anycast can in addition to acl help distribute load. On Jul 30, 2011 9:44 PM, "Jon Lewis" <jlewis@lewis.org> wrote:
On Sat, 30 Jul 2011, Drew Weaver wrote:
my DNS servers were getting slow so I blocked recursive queries for all but my own network.
This should be the standard practice. By operating an open recursor, you lend your DNS server to abuse as a contributor to DNS reflection/amplification attacks.
-----------------------------------------------------------------------
And at this point he may as well just ACL in-front of the recursors to prevent the traffic from hitting the servers thus reducing load needed to reject the queries on the servers themselves.
An awful lot of older/smaller deployments have single servers doing both authoratative and recursive DNS. These should be setup with either an allow-recursion { ACL;} statement or separate authoratative and recursive views limiting recursion to just those networks that should be sending recursive queries.
Another option is to run separate services bound to different individual IPs on the server. i.e. bind9 or powerdns for authoratative DNS and unbound for recursion.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________