nanog mailing list archives

Re: Open Resolver Problems

From: Tony Finch <dot () dotat at>
Date: Wed, 27 Mar 2013 21:33:58 +0000

Joe Abley <jabley () hopcount ca> wrote:


My assessment is that the implementations I have seen are ready for
production use, but I think it's understandable given the moving
goalpoasts that some vendors have not yet promoted the code to be
included in stable releases.


It is in the current stable release of NSD 3.2.15 though it is a
build-time option. It is in the current release candidate of knot DNS
1.2.0-rc4. It will be in BIND-9.10 which has not yet reached public beta.

Our servers have been abused as reflectors, and we're using the BIND RRL
patch with versions 9.8 and 9.9 to stop the attack traffic.

There are other interim options such as using firewall rate limiting
which is worse than RRL because it is much more likely to hurt legitimate
queries. For example,
http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html

Or you can use a configuration add-on such as bindguard.
http://bindguard.activezone.de

Tony.
-- 
f.anthony.n.finch  <dot () dotat at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Matthew Petach (Mar 26)
    - Re: Open Resolver Problems Jon Lewis (Mar 26)
    - Re: Open Resolver Problems Paul Ferguson (Mar 26)
    - Re: Open Resolver Problems Alain Hebert (Mar 27)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)
    - Re: Open Resolver Problems Mark Andrews (Mar 26)
    - Re: Open Resolver Problems Paul Ferguson (Mar 26)
    - Re: Open Resolver Problems Mark Andrews (Mar 26)
    - Re: Open Resolver Problems William Herrin (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems William Herrin (Mar 27)
    - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems Mark Andrews (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)

(Thread continues...)