The DDOS attack on DYN & RRL ?
Barry Margolin
barmar at alum.mit.edu
Tue Nov 1 14:41:02 UTC 2016
In article <mailman.546.1477931391.74444.bind-users at lists.isc.org>,
Ben Croswell <ben.croswell at gmail.com> wrote:
> I think what we see as a result of this attack is DNS provider diversity
> being the new buzz phrase. The same as not relying on a single ISP link i
> see more people using multiple DNS providers.
> The size of these attacks will grow as IoT continues to grow. It makes
> sense to have diverse providers to ensure your domains are serviceable if a
> provider gets attacked.
My boss asked me to look into this after the attack. The sticking point
seems to be that most DNS providers don't allow zone transfers from
their servers. We currently get our auth DNS from SoftLayer, the hosting
provider for our primary web, application, and database servers. I
contacted them to find out if it's possible to enable zone transfers to
a third party slave service, they said no; they suggested that we simply
set up both services as masters, which would mean we'd have to update
them independently (or write our own scripts that make use of each
service's API). The customers of Dyn are in the same situation.
Maybe last week's incident will prompt enough big customers to demand
this that they'll change their policies.
--
Barry Margolin
Arlington, MA
More information about the bind-users
mailing list