[Pdns-users] Re: Features: ACLs (for AXFR et al), configurable SQL queries
Duane
duane at e164.org
Fri May 5 16:17:46 UTC 2006
Norbert Sendetzky wrote:
> Never do a task in the DNS server that can be better done by a firewall ;-)
Yes and no...
Take for example e164.org, e164.org operates an enum tree which allows
people to lookup SIP URIs against enum.164 numbers and we are currently
toying around with centralised request counting to prevent brute force
attacks, but at the same time we will need to keep a white list of
proxies that will be allowed to do several requests per second...
Ok this isn't an easy problem, we're still scratching our heads, but it
can be done, but I don't think inside the DNS server is the answer
either unless there is a whole bunch of extensions to it to allow
collecting of IP stats as well...
But saying a straight out firewall isn't the answer either, especially
if the servers are spread out over multiple continents...
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
More information about the Pdns-users
mailing list