> 1. Is that really required to protect DNS server by > firewall? Yes, it's a very, very good idea to do so. > How does those ISPs, e.g. AT&T, Sprint,mae > their DNS system highly available? By protecting it with a firewall. :-) > Could we do that > by filtering traffic besides port destinated to port > 53? Yes, exactly. And possibly also by creating two different pools of DNS servers: one pool which is accessible from everywhere, and which is authoritative for your and your customers' domains; the other which is accessible only to your customers, and which performs recursive resolution on their behalf. > 2. How could we extend our server farm by adding new > servers while announcing the same IP addresses to our > customers? By doing exactly that. Sharing one IP address across many servers is called "anycast" and is standard practice for DNS service provision. > 4. Which hardware/OS platform is better for DNS > service? The combination you've got, Solaris 8 and BIND 9, is fine. Some people would use other DNS server software, and some people would use FreeBSD or NetBSD, but you've got a very mainstream combination. We run Solaris 9 and Bind 9 on about forty DNS servers, for instance. > 5. Is that possible to filter those requests not > conforming to DNS documents? That's a lot tougher. Are you asking whether it's possible to have an application-layer firewall screen out mal-formed requests _before they get to your DNS server_? That's theoretically possible, but I don't know of anyone who does it. Once the queries have arrived at the DNS server, the DNS server application may be able to filter them in different ways, and discard different classes of queries with different kinds of logging or notification. -Bill