[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

Moin!

On 29 Jun 2016, at 8:55, Henrik Lund Kramshøj wrote:
> and when being attacked the harm is already done, service will be 
> interrupted if we do nothing …
There is a difference on doing something as a response to attacks or 
having something hanging there that might treat you bad down the road.

> so the talk about these boxes throwing away some traffic, bad 
> middleboxes etc. These are not middleboxes, but part of the overall 
> solution at the end-network - and as such they increase operational 
> cost - but they bring more resilience and stability to the service. 
> They even work using the existing hardware devices in many 
> circumstances, making the cost less than buying “DDoS protection 
> service box model 2000"
>
> YMMV, and you should always consider your own environment, adding 
> DNSSEC comments are great etc. Some things SHOULD be discarded, others 
> rate-limited
I don't have problems with discarding, but again it should be done where 
the impact is understood and a router doesn't have that. Doing opaque 
dropping to the outbound of a resolver even while part of the solution 
can have weird effects and should be avoided.

> and shameless link 
> https://ripe72.ripe.net/wp-content/uploads/presentations/32-simulated-ddos-ripe.pdf 
> which has similar advise
Again that was during the attack and not permanent (Anand can correct me 
if I got it wrong). Also this was an authoritative server which has a 
different defence pattern that a resolver that was described in the 
article.

So long
-Ralf