I’m sure there are plenty of people that will disagree with me, but, IMO, you should never put stateful devices in front of a DNS server. It’s better to have plenty DNS servers on different networks and let them crash and burn if necessary. Just like you never put bananas in the refrigerator :-)
A moderate volume DDoS will bring most stateful firewalls to their knees, even attacks that can be weathered nicely by a FreeBSD + bind box. I had a very nice conversation in CPH with a person from Russia and we were very much in agreement on this. Sadly I forgot his name and neither of us had any cards left. If you’re there, please get in touch! -Carlos > On Jun 28, 2016, at 10:16 AM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > On Tue, Jun 28, 2016 at 12:41:51PM +0200, > Ralf Weber <d...@fl1ger.de> wrote > a message of 32 lines which said: > >> IMHO this is full of bad ideas and against protocol specs. While I >> agree that at these day and age one must defend against attacks on >> DNS systems, just blindly dropping on packet size or fragments is a >> very bad idea. Forwarding to 8.8.8.8 also is > > I said more or less the same on the RIPE Labs site (comment not yet > moderated). >
