Hey Nico, long time no speak, hope you are well! You still at Efficient IP?

Yes that would be a great idea in theory but in practice it would require a 
massive infrastructure change for this customer, we'd also have to migrate the 
anycast IPs to these new nodes (does dnsdist support anycast?), and ensure we 
can still meet the contracted SLAs. Basically it's a lot of work (+ cost) just 
to "sort out" this Sophos mess.

I'd rather Sophos did their stuff over a separate TCP or UDP port rather than 
hijacking DNS, but doubt they will listen to "little old me". 😞



From: Nico CARTRON <nico...@ncartron.org>
Sent: 17 May 2018 13:01
To: Paul Roberts
Cc: ML BIND Users
Subject: Re: BIND srtt algorithm not working as expected

Hi Paul,

On 17 May 2018, at 13:46, Paul Roberts 
<p...@callevanetworks.com<mailto:p...@callevanetworks.com>> wrote:

Good grief indeed!

I would love to implement 'fetches-per-zone' but we need to get them onto BIND 
9.11 first, that's a few months away.

Unfortunately I can't just block this traffic else I'll have the security teams 
wanting to know why we are compromising their desktop security.

Even 'fetches-per-zone' is a bit contentious, if we are rate limiting and one 
of those queries happens to be for a malicious file which doesn't get 
quarantined (because we never got the actionable response code from Sophos) 
we'll be in big trouble.

So we are caught between a rock and a hard place. :-(

Why not putting dnsdist in front of those BIND 9.8, and having it redirect DNS 
traffic at destination of Sophos to dedicated BIND servers?
And have the other, non Sophos DNS traffic, sent to the current BIND servers?


From: Tony Finch <d...@dotat.at<mailto:d...@dotat.at>>
Sent: 17 May 2018 12:34
To: Paul Roberts
Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: BIND srtt algorithm not working as expected

Paul Roberts <p...@callevanetworks.com<mailto:p...@callevanetworks.com>> wrote:

> After doing some more packet captures, it looks like a lot of the
> queries are related to Sophos live protection DNS lookups (lots of
> queries for sophosxl.net<http://sophosxl.net>), so there are a lot of queries 
> which don't get
> resolved.

Good grief.

There are a few things you might do to mitigate this idiocy:

0. Block sophosxl.net<http://sophosxl.net>. Your colleagues responsible for AV 
might not
   appreciate this :-)

1. In BIND 9.11+ there are options `fetches-per-zone` and
   `fetches-per-server` for helping a resolver to cope with overloaded
   authoritative servers. When you are forwarding you'll have to rely on
   fetches-per-zone since fetches-per-server will throttle everything.
   I don't know how fetches-per-zone discovers zone cuts or how well that
   works in the forwarding case when your resolver is relying on an
   upstream to do the iteration.

2. Set up sacrificial forwarding IP addresses. These can be additional
   addresses on your existing forwarders. Configure your resolvers to
   forward queries for sophosxl.net<http://sophosxl.net> to the sacrificial 
addresses instead
   of the usual ones. Then BIND's address database entries used by most
   queries won't get polluted by the non-responding servers.

You might profitably combine 1. and 2. to make the resolver eagerly drop
queries to the sacrificial forwarders.

f.anthony.n.finch  <d...@dotat.at<mailto:d...@dotat.at>>  http://dotat.at/

the quest for freedom and justice can never end
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to