shimi wrote:
Are there such things as "specialized secure DNS host" or just about
any host is good enough (e.g. we registered most of our domainsat
godaddy).
You could use the UltraDNS from Neustar services [1]. It WILL cost you
:-) But I guess those guys know what they're doing: They run one of
the root DNS servers of the Internet... they provide DNS service to
some major companies out there, including Amazon.com. They use Anycast
to take the queries to network-wise close locations, so they'll be
answered fast and also limit the effect of DoS attacks to only the
part of the world where the attack came from.
I have no specific knowledge of UltraDNS, and if Amazon uses them, I'm
sure they're very good at what they are doing.
However, please be aware that DNS based attacks are often not directed
at infrastructure under the attacked entity's control (e.g. poisoning
resolvers, netbios replies, initiatiating domain transfers through a
less-than-competent registrar, etc). And while you should do what you
can to secure your DNS infrastructure, you should be using other means
as well - e.g. server certificates; client certificates; RSA tokens, etc.
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
