[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

Dear colleagues, Ramtin Kiaei shows how to mitigate DNS attacks by implementing a stateless firewall filter at the aggregation or edge router. Please find his article on RIPE Labs: https://labs.ripe.net/Members/ramtin_kiaei/securing-network-infrastructure-for-dns-servers?pk_campaign=labs&pk_kwd=l

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

Moin! On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote: Dear colleagues, Ramtin Kiaei shows how to mitigate DNS attacks by implementing a stateless firewall filter at the aggregation or edge router. Please find his article on RIPE Labs: https://labs.ripe.net/Members/ramtin_kiaei/securing-networ

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

Hi Ralf, Thanks for the feedback. I am copying the author so he is aware of your comment. Kind regards, Mirjam On 28/6/16 12:41, Ralf Weber wrote: > Moin! > > > On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote: > >> Dear colleagues, >> >> Ramtin Kiaei shows how to mitigate DNS attacks by implem

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

On Tue, Jun 28, 2016 at 12:41:51PM +0200, Ralf Weber wrote a message of 32 lines which said: > IMHO this is full of bad ideas and against protocol specs. While I > agree that at these day and age one must defend against attacks on > DNS systems, just blindly dropping on packet size or fragment

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

I’m sure there are plenty of people that will disagree with me, but, IMO, you should never put stateful devices in front of a DNS server. It’s better to have plenty DNS servers on different networks and let them crash and burn if necessary. Just like you never put bananas in the refrigerator :-)

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

On Tue, Jun 28, 2016 at 10:46:17AM -0300, Carlos M. Martinez wrote a message of 31 lines which said: > I’m sure there are plenty of people that will disagree with me, but, > IMO, you should never put stateful devices in front of a DNS > server. I fully agree but, precisely, this article use s

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

It talks about rate limiting, which seems to me is a bit hard to do in a stateless way :-D > On Jun 28, 2016, at 10:59 AM, Stephane Bortzmeyer wrote: > > On Tue, Jun 28, 2016 at 10:46:17AM -0300, > Carlos M. Martinez wrote > a message of 31 lines which said: > >> I’m sure there are plenty of

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

Carlos M. Martinez wrote: > It talks about rate limiting, which seems to me is a bit hard to do in a > stateless way :-D Queue / buffer management does not need to be stateful. Most implementations are stateless, except for flow based queues, which is not what's demonstrated here. Nick

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

Thanks! > On Jun 28, 2016, at 11:58 AM, Nick Hilliard wrote: > > Carlos M. Martinez wrote: >> It talks about rate limiting, which seems to me is a bit hard to do in a >> stateless way :-D > > Queue / buffer management does not need to be stateful. Most > implementations are stateless, except

Re: [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

> On 28 Jun 2016, at 15:46, Carlos M. Martinez wrote: > > I’m sure there are plenty of people that will disagree with me, but, IMO, you > should never put stateful devices in front of a DNS server. It’s better to > have plenty DNS servers on different networks and let them crash and burn if >