PROACTIVE STEPS TO AVOIDING A DOS ATTACK

Submitted by Paul Parisi, CTO - DNSstuff.com
13 March 07

A Denial of Service attack is when legitimate traffic is directed at your site to prevent a timely response to legitimate requests. Everyone is susceptible to Denial of Service attacks.

Since DNS is a particularly vulnerable vector of attack, it is important that you do everything you can to ensure that you as protected as possible.

Many domains we monitor at DNSstuff indicate that their DNS servers are located on the same subnetwork and therefore, most likely, the same physical location.

Ideally you would want to have a minimum of two physically and geographically disparate DNS servers. In doing so, when a DNS attack occurs and limits the availability of one network and its DNS server, the other DNS server on the other network will be able to respond.

Additionally, it is important that your authoritative DNS server not be used as an open DNS server by clients for DNS lookups. An open DNS server allows anyone to use that server as a DNS lookup server. Many smaller providers co-mingle both DNS hosting and DNS resolver functions on the same server. Co-mingling these functions is not a good idea and can lead to significant problems and may even lead to a compromise of your zone.

• Make sure that your DNS servers are in separate physical locations, using separate Internet providers


• Make sure that your authoritative DNS servers are not open DNS servers