Hi everybody, >From PowerDNS users we have heard of problems caused by various domain names related to PowerDNS Security Advisory 2014-02 (CVE-2014-8601), http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/
If you are not yet in a position to upgrade to 3.6.2, or even if you have upgraded and traffic for these domains is causing CPU spikes anyhow, we recommend the following configuration line as a workaround: auth-zones=ezdns.es=nullzone,ezdns.gs=nullzone,ezdns.it=nullzone,ezdns.la=nullzone,ezdns.me=nullzone,ezdns.ms=nullzone,ezdns.pl=nullzone,ezdns.pm=nullzone,ezdns.re=nullzone,ezdns.so=nullzone,ezdns.sx=nullzone,ezdns.tf=nullzone,ezdns.wf=nullzone,ezdns.yt=nullzone And this file 'nullzone': @ 3600 IN SOA ns hostmaster 2013041204 9000 450 604800 450 @ 3600 IN NS ns1 ns1 3600 IN A 127.0.0.1 You might need to add a path to nullzone for this to work reliably. This functions pretty well for us in testing. It will kill some domains that currently don't work anyhow, but relax your CPU a lot if you are under attack. You can update auth-zones using 'rec_control reload-zones' at runtime without restarting the recursor, which will discover new zones to be blocked or no no longer blocked. Again, if you have any questions, please either contact us on our mailing lists, or privately via [email protected] (should you wish to make use of our SLA-backed support program). Bert -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
