I’m sure there are plenty of people that will disagree with me, but, IMO, you should never put stateful devices in front of a DNS server. It’s better to have plenty DNS servers on different networks and let them crash and burn if necessary. Just like you never put bananas in the refrigerator :-) A moderate volume DDoS will bring most stateful firewalls to their knees, even attacks that can be weathered nicely by a FreeBSD + bind box. I had a very nice conversation in CPH with a person from Russia and we were very much in agreement on this. Sadly I forgot his name and neither of us had any cards left. If you’re there, please get in touch! -Carlos
On Jun 28, 2016, at 10:16 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Tue, Jun 28, 2016 at 12:41:51PM +0200, Ralf Weber <dns@fl1ger.de> wrote a message of 32 lines which said:
IMHO this is full of bad ideas and against protocol specs. While I agree that at these day and age one must defend against attacks on DNS systems, just blindly dropping on packet size or fragments is a very bad idea. Forwarding to 8.8.8.8 also is
I said more or less the same on the RIPE Labs site (comment not yet moderated).