[AusNOG] Optus outage last night?

Chris Hurley chris at minopher.net.au
Thu Jul 6 02:41:49 EST 2017


Preferred solution would be to install dnssec-trigger from NLnetLabs,
as it will detect if the DHCP suppied DNS resolver go down and will
automatically switch to use it's own (locally installed) resolver. DNS
software is small, Unbound is about 200K, which is nothing compared to
other system software today.

A less preferred solution is to use public available resolvers, such as
Google-DNS or OpenDNS (now Cisco). These options have privacy and
security issues, as the leg between the client and the DNS resolver goes
unsecured over the public Internet.

OpenDNS supports DNScrypt, but installing that is more complicated than
using dnssec-trigger.

Hope this helps.


Regards,

Chris Hurley BE (Elec)
Signal Manager

******************************************************
Dragon Rail Pty Ltd     Phone: 1300 730 531
74 Allanfield Crescent
Boronia,  3155 Victoria
Australia          
      
******************************************************






On 6/07/2017, 12:31 AM, "AusNOG on behalf of Chris Hurley"
<ausnog-bounces at lists.ausnog.net on behalf of chris at minopher.net.au> wrote:

>Sharing insights from those that know far me than me.
>
><https://www.menandmice.com/resources/webinar-dns-high-availability-tools/
>>
>
>In short, the solution is that the 1st IP address should never go down.
>This can be achieved by an DNS aware load-balancer, such as "dnsdist" or
>"relayd" mentionied in the webinar. I've also have good experience with
>the commercial A10 load-balancer.
>
>From the view of a DNS user, the solution is:
>
>Don't use the providers DNS resolvers, run your own
>
>It's usually faster to have own DNS resolver, and it's more secure
>(DNSSEC validation).
>
>For single machines, "dnssec-trigger"
>(https://nlnetlabs.nl/projects/dnssec-trigger/) is a great solution for
>Windows, MacOS X or Linux (should be in the package managers repository).
>
>For larger networks (5-5000 Client machines), install one or more
>dedicated DNS resolver (for small deployments, a Raspberry Pi 3 is
>powerful enough) using Unbound, Knot-Resolver or BIND 9. For larger
>deployments, use real server machines for the local resolver and deploy
>dnsdist or relayd in an High-Availability setup in front of the resolvers.
>
>
>So short version is Optus had an Œissue©ö and for home users the above
>gives some options. And yes we are a local agent for Men and Mice, but
>they only provide one of a couple of first class options.
>
>If anyone would like to discuss off list please email me.
>
>Regards,
>
>Chris Hurley BE (Elec)
>Signal Manager
>
>******************************************************
>Dragon Rail Pty Ltd     Phone: 1300 730 531
>74 Allanfield Crescent
>Boronia,  3155 Victoria
>Australia         
>      
>******************************************************
>
>
>
>>
>
>
>_______________________________________________
>AusNOG mailing list
>AusNOG at lists.ausnog.net
>http://lists.ausnog.net/mailman/listinfo/ausnog




More information about the AusNOG mailing list