Hi, thanks for your help on my question. After reading carefully those comments, I reach the following conclusion: 1. ISPs use firewall to protect their DNS server; 2. ACL on router may be a good solution for protecting DNS servers, the policy could be "only pass those packets, whose originate from incustomers' IP address blocks and destinate to UDP port 53 of DNS server"; 3. Currently, it maybe a little difficult for firewall to filter DNS requests not conforming to DNS document; but, Nominum's product could; 4. Anycast is the most scalable and standard solution for dispersed DNS server farm, while layer-4 switch could deal could do with centralized server farm; 5. 'bogon'in BIND configuration could be used to filter requests from RFC1918 address; 6. Firewall may become bottleneck of DNS server farm in situation of DoS attack or situation of high session rate; 7. It's good solution to divide DNS servers into two groups, one for recursive lookup the other for no-recuresive; 8. BIND should be configured carefully and there is BIND secure template to follow Have I missed something? And, I got another two questions: a) If firewall is used to protect DNS server farm, could it do more than router's ACL while reaching the same performance-cost ratio ? which one is usually chosen by those ISPs having big customer numbers? (we noticed DNS requests from our customers keep increase in past months) b) Is there any public available performance evaluation on Nominum's product? Any of your words will be highly appreciated. Joe __________________________________________________ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com