Borderware is such a well supported product that it is not usual to post threads for technical advice.
The BorderWare 6.5 firewall has both and internal and external DNS. The external DNS resolves currently to the root name servers on the web. However as a public faxcing DNS this is accessible to those on the web. The external DNS is getting hit hard at the moment and as a consequence caused a DoS on our ISPs network.
They then removed us from behind their core network and firewalls to the periphery of their network (inet0) and will not move us back until we shelve the many requests we are receiving (45,000 in 2 minutes). We are speaking with Borderware about this now, but we seem to be stuck in a catch 22 that being we cant turn external DNS off because it is needed by our internal DNS. We wish to move to our ISPs own DNS servers, but will this just forward a massive amount of our traffic onto them? We asked that to reduce this issue an acl be put on the router so as to drop DNS opackets other than those emanating from inside our network or from the upstream provider (ie them). This apparently is resource intensive.
The latest (beta) version of the borderware software comes with an acl for the external interface and DNS. However without wishing to wait until the testing is completed I need to show actions are taking place. Does anyone have any clever or simple ways of solving this conundrum? Has anyone come across this issue. I cant believe we are the only ones to have experienced a problem like this.
The BorderWare 6.5 firewall has both and internal and external DNS. The external DNS resolves currently to the root name servers on the web. However as a public faxcing DNS this is accessible to those on the web. The external DNS is getting hit hard at the moment and as a consequence caused a DoS on our ISPs network.
They then removed us from behind their core network and firewalls to the periphery of their network (inet0) and will not move us back until we shelve the many requests we are receiving (45,000 in 2 minutes). We are speaking with Borderware about this now, but we seem to be stuck in a catch 22 that being we cant turn external DNS off because it is needed by our internal DNS. We wish to move to our ISPs own DNS servers, but will this just forward a massive amount of our traffic onto them? We asked that to reduce this issue an acl be put on the router so as to drop DNS opackets other than those emanating from inside our network or from the upstream provider (ie them). This apparently is resource intensive.
The latest (beta) version of the borderware software comes with an acl for the external interface and DNS. However without wishing to wait until the testing is completed I need to show actions are taking place. Does anyone have any clever or simple ways of solving this conundrum? Has anyone come across this issue. I cant believe we are the only ones to have experienced a problem like this.
