1. ISPs use firewall to protect their DNS server;

Depends. You don't normally need a full fledged (stateful) firewall. Normal (stateless) router access lists are just fine.

2. ACL on router may be a good solution for protecting DNS servers, the policy could be "only pass those packets, whose originate from incustomers' IP address blocks and destinate to UDP port 53 of DNS server";

In general, allow only relevant traffic. That may be a bit more than just UDP port 53: You really want to allow TCP based DNS queries also, and your name server probably needs SSH, NTP and similar.

5. 'bogon'in BIND configuration could be used to filter requests from RFC1918 address;

Better to do it on the router.

6. Firewall may become bottleneck of DNS server farm in situation of DoS attack or situation of high session rate;

Routers with hardware based access lists. No problem.

b) Is there any public available performance evaluation on Nominum's product?

See Brad Knowles' tests: http://www.ripe.net/ripe/meetings/archive/ripe-44/presentations/ripe44-dns-d... We currently have the Nominum CNS on trial here, and we are very impressed. It performs much better than BIND 8/9 - our measurements show even greater differences than Brad Knowles' tests. Example: One server running BIND 9 shows more than 30% CPU usage during peak hours, but only 2-3% with Nominum CNS. We also have the issue that BIND 9 seems to start *failing* when it reaches a certain cache size (as in: Some queries are either not answered at all, or they are answered with SERVFAIL). Steinar Haug, Nethelp consulting, sthaug@nethelp.no