----- Original Message ----- > > > Any comments and best practice solution info very welcome. > > Folks with significant requirements with regard to high availability > are likely to put a hardware loadbalancer running a VIP which > receives DNS requests and balances it onto a pool of reals (aka the > boxes running nameservers), including liveness checks so the LB will > transparently migrate around a nameserver which is down. > >
Speaking of using a load balancer....I have wondered about putting our BigIP in front of our authoritative only nameservers, hadn't thought about doing it for HA. But whether it would help against DDos? I know there's a DNSFloodProtection iRule, and wonder if the BigIP does any protection of its own (or is it just the SYN flood DDoS that it does). Though I recall that they had published that GTM v11 has DNS DDoS protections, but our current platform is limited to 10.2.4 and we only have LTM. Though if I did put the BigIP in front, would the DDoS traffic towards the nameserver VIPs, impact other services on the BigIP? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
