Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On 09/20/2013 05:12 PM, Vernon Schryver wrote: The potential RRL problem is when you provide high volume DNSBL service over the open Internet to DNS clients that are not authenticated. However, that is unlikely to be a worry, because providing DNSBL services over the open Internet is dubious idea for unrelated reasons. Major DNSBL providers have years since limited anonymous clients for business or other reasons. For example, I think Spamhaus limits anonymous clients to fewer than 3 queries/second. and I doubt they use RRL in the application level.. I assume they limit that on either IPTABLES\FW level. What is the way to provide DBSBL using bind?? I was looking for something like that but I am sure a dynamic DB is needed for the task right? Eliezer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1633, Issue 1
: ?cap_flag_value_t? undeclared (first use in this function) os.c:260: error: expected ?;? before ?curval? os.c:260: warning: implicit declaration of function ?cap_get_flag? os.c:260: error: ?CAP_PERMITTED? undeclared (first use in this function) os.c:260: error: ?curval? undeclared (first use in this function) os.c:260: warning: implicit declaration of function ?cap_set_flag? os.c:260: error: ?CAP_EFFECTIVE? undeclared (first use in this function) os.c:260: error: ?CAP_SET? undeclared (first use in this function) os.c:265: error: expected ?;? before ?curval? os.c:274: error: expected ?;? before ?curval? os.c:280: error: expected ?;? before ?curval? os.c:286: error: expected ?;? before ?curval? os.c:295: error: expected ?;? before ?curval? os.c:301: error: expected ?;? before ?curval? os.c:303: warning: implicit declaration of function ?linux_setcaps? os.c:306: warning: implicit declaration of function ?cap_free? os.c: In function ?linux_minprivs?: os.c:312: error: ?cap_t? undeclared (first use in this function) os.c:312: error: expected ?;? before ?caps? os.c:314: error: expected ?;? before ?curcaps? os.c:315: error: ?cap_value_t? undeclared (first use in this function) os.c:315: error: expected ?;? before ?capval? os.c:320: error: ?caps? undeclared (first use in this function) os.c:320: error: ?curcaps? undeclared (first use in this function) os.c:329: error: ?capval? undeclared (first use in this function) os.c:329: error: ?cap_flag_value_t? undeclared (first use in this function) os.c:329: error: expected ?;? before ?curval? os.c:329: error: ?CAP_PERMITTED? undeclared (first use in this function) os.c:329: error: ?curval? undeclared (first use in this function) os.c:329: error: ?CAP_EFFECTIVE? undeclared (first use in this function) os.c:329: error: ?CAP_SET? undeclared (first use in this function) os.c:338: error: expected ?;? before ?curval? make[3]: *** [os.o] Error 1 make[3]: Leaving directory `/usr/local/src/bind-9.9.4/bin/named/unix' make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/usr/local/src/bind-9.9.4/bin/named' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/usr/local/src/bind-9.9.4/bin' make: *** [subdirs] Error 1 ShanyiWan -- next part -- An HTML attachment was scrubbed... URL: https://lists.isc.org/pipermail/bind-users/attachments/20130923/ee963e55/attachment-0001.html -- Message: 2 Date: Mon, 23 Sep 2013 09:40:05 +0300 From: Eliezer Croitoru elie...@ngtech.co.il To: bind-users@lists.isc.org Subject: Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10) Message-ID: 523fe245.6000...@ngtech.co.il Content-Type: text/plain; charset=ISO-8859-1 On 09/20/2013 05:12 PM, Vernon Schryver wrote: The potential RRL problem is when you provide high volume DNSBL service over the open Internet to DNS clients that are not authenticated. However, that is unlikely to be a worry, because providing DNSBL services over the open Internet is dubious idea for unrelated reasons. Major DNSBL providers have years since limited anonymous clients for business or other reasons. For example, I think Spamhaus limits anonymous clients to fewer than 3 queries/second. and I doubt they use RRL in the application level.. I assume they limit that on either IPTABLES\FW level. What is the way to provide DBSBL using bind?? I was looking for something like that but I am sure a dynamic DB is needed for the task right? Eliezer -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users End of bind-users Digest, Vol 1633, Issue 1 *** -- Karlsruhe Institute of Technology (KIT) ATIS - IT Infrastruture and Services, Faculty of Computer Science Harald A. Irmer IT Manager / Computer Networks Group Am Fasanengarten 5 Building 50.34 76131 Karlsruhe, Germany Phone: +49 721 608-46963 Fax: +49 721 608-46699 Email: harald.ir...@kit.edu http://www.kit.edu/ KIT University of the State of Baden-Wuerttemberg and National Laboratory of the Helmholtz Association ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
From: Eliezer Croitoru elie...@ngtech.co.il Major DNSBL providers have years since limited anonymous clients for business or other reasons. For example, I think Spamhaus limits anonymous clients to fewer than 3 queries/second. and I doubt they use RRL in the application level.. I assume they limit that on either IPTABLES\FW level. The only technical reason I know that might stop Spamhaus and the Spamhaus mirrors from using RRL to throttle anonymous DNSBL clients is the lingering enthusiasm for RBLDNSD and rsync in the DNSBL community. RBLDNSD+rsync made sense before the (de facto standard) DNS protocol had incremental zone transfers and updates. It is a bug today. That use of RBLDNSD+rsync has become a serious problem. Among the problems it causes are: - IPv6 DNS server caches If IXFR were used to distribute DNSBL data, then wildcards for cover entire CDIR blocks (both IPv4 and IPv6) could be published and there would be no IPv6 cache explosion issue. - Authentication RBLDNSD doesn't support DNSSEC, so that any of the many men in the middle between small DNSBL clients and the servers they use can improve passing DNSBL data. I know nothing about how Spamhaus and the Spamhaus DNSBL mirrors control access, but I doubt they use firewalls except to completely block persistently abusive clients. Firewalls trying to rate limit need to keep state, and stateful firewalls are infamous for collapsing under the weight of irrelevant state when someone tries to apply them to this kind of problem. What is the way to provide DBSBL using bind?? BIND and other full featured DNS implementations are used to answer DNSBL requests as well as requests for records in larger and more frequently changing DNS zones than any of the DNSBLs. Consider what happens in the major gTLDs today. Things have changed since RBLDNSD appeared and when a change to example.com took weeks. Consider the fact that some Spamhaus DNSBL zones are available as RPZ zones. See https://www.google.com/search?q=dns+rpz I was looking for something like that but I am sure a dynamic DB is needed for the task right? Large DNSBLs are not very dynamic, because they have relatively few changes per day. From another perspective, with the popularity of dynamically updating forward and reverse DNS zones as end-user IP addresses changes, why isn't the the machinery in any full featured DNS implementation a dyanamic DB? The term database should not imply sql or even relational. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On Sep 23, 2013, at 7:59 AM, Vernon Schryver v...@rhyolite.com wrote: From: Eliezer Croitoru elie...@ngtech.co.il I was looking for something like that but I am sure a dynamic DB is needed for the task right? Large DNSBLs are not very dynamic, because they have relatively few changes per day. From another perspective, with the popularity of dynamically updating forward and reverse DNS zones as end-user IP addresses changes, why isn't the the machinery in any full featured DNS implementation a dyanamic DB? The term database should not imply sql or even relational. Indeed, a DNS server is a type of database server. The DNS is a large distributed database. Regards, Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On 23 Sep 2013, at 15:59, Vernon Schryver v...@rhyolite.com wrote: From: Eliezer Croitoru elie...@ngtech.co.il Major DNSBL providers have years since limited anonymous clients for business or other reasons. For example, I think Spamhaus limits anonymous clients to fewer than 3 queries/second. and I doubt they use RRL in the application level.. I assume they limit that on either IPTABLES\FW level. The only technical reason I know that might stop Spamhaus and the Spamhaus mirrors from using RRL to throttle anonymous DNSBL clients is the lingering enthusiasm for RBLDNSD and rsync in the DNSBL community. RBLDNSD+rsync made sense before the (de facto standard) DNS protocol had incremental zone transfers and updates. It is a bug today. That use of RBLDNSD+rsync has become a serious problem. Among the problems it causes are: - IPv6 DNS server caches If IXFR were used to distribute DNSBL data, then wildcards for cover entire CDIR blocks (both IPv4 and IPv6) could be published and there would be no IPv6 cache explosion issue. - Authentication RBLDNSD doesn't support DNSSEC, so that any of the many men in the middle between small DNSBL clients and the servers they use can improve passing DNSBL data. I know nothing about how Spamhaus and the Spamhaus DNSBL mirrors control access, but I doubt they use firewalls except to completely block persistently abusive clients. Firewalls trying to rate limit need to keep state, and stateful firewalls are infamous for collapsing under the weight of irrelevant state when someone tries to apply them to this kind of problem. What is the way to provide DBSBL using bind?? BIND and other full featured DNS implementations are used to answer DNSBL requests as well as requests for records in larger and more frequently changing DNS zones than any of the DNSBLs. Consider what happens in the major gTLDs today. Things have changed since RBLDNSD appeared and when a change to example.com took weeks. Consider the fact that some Spamhaus DNSBL zones are available as RPZ zones. See https://www.google.com/search?q=dns+rpz Some, not all. As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs): 1) What needs to be done to rewrite that to a BIND zone? 2) What sort of machine would be required to load that zone? 3) How long would it take to load into BIND? TIA Simon I was looking for something like that but I am sure a dynamic DB is needed for the task right? Large DNSBLs are not very dynamic, because they have relatively few changes per day. From another perspective, with the popularity of dynamically updating forward and reverse DNS zones as end-user IP addresses changes, why isn't the the machinery in any full featured DNS implementation a dyanamic DB? The term database should not imply sql or even relational. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.4 Bug Fixes - RT #34583
On Sep 21, 2013, at 8:35 AM, Steve Arntzen i...@arntzen.us wrote: Good morning/day/evening. What exactly does beneath mean in the following line from the 9.9.4 bug fixes? Fix forwarding for forward only zones beneath automatic empty zones. [RT #34583] Beneath in this case refers to the namespace tree diagram. Think of an upside-down tree structure, with the root at the top. Then 10.in-addr.arpa is beneath in-addr.arpa, and (more importantly in this case, as Evan pointed out) 100.10.in-addr.arpa is beneath 10.in-addr.arpa. Regards, Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Simon Forster fors...@spamteq.com wrote: As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs): 1) What needs to be done to rewrite that to a BIND zone? 2) What sort of machine would be required to load that zone? 3) How long would it take to load into BIND? I did a quick test. Generating and parsing the zone in text format took about 80s wall time; loading the raw zone file took 30s. In both cases named-checkzone used about 1.25GB RAM. I don't have enough RAM on this machine to run dnssec-signzone in a reasonable length of time - it goes into swap death after 3GB. perl -e 'use Crypt::OpenSSL::Random; print x.dotat.at. 3600 in soa black.dotat.at. dot.dotat.at. 1 1h 1h 1w 1m\n; print x.dotat.at. 3600 in ns black.dotat.at.\n; printf %s.x.dotat.at 3600 IN A 127.0.0.2\n, join ., unpack C4, Crypt::OpenSSL::Random::random_bytes(4) for (1..550); ' | named-compilezone -i local -k warn -n warn -Fraw -o x.dotat.at x.dotat.at /dev/stdin named-checkzone -i local -k warn -n warn -fraw x.dotat.at x.dotat.at Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists,
From: Tony Finch d...@dotat.at As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs): 1) What needs to be done to rewrite that to a BIND zone? 2) What sort of machine would be required to load that zone? 3) How long would it take to load into BIND? I did a quick test. Generating and parsing the zone in text format took about 80s wall time; loading the raw zone file took 30s. In both cases named-checkzone used about 1.25GB RAM. I don't have enough RAM on this machine to run dnssec-signzone in a reasonable length of time - it goes into swap death after 3GB. It's convenient that with binary zone files and the dynamic update protocol, loading from text (or signing a whole zone) is not something you need to do every hour on the hour. I assume you'd use NSEC instead of NSEC3 when signing, since protecting a DNSBL from zone walking makes little more sense than protecting a reverse zone. By the way, how much smaller would that DNSBL be if it could use wildcards? I suspect a real (as opposed to synthetic) DNSBL has a lot of repetition in all except the last labels. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
On 23 Sep 2013, at 19:24, Tony Finch d...@dotat.at wrote: Simon Forster fors...@spamteq.com wrote: As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs): 1) What needs to be done to rewrite that to a BIND zone? 2) What sort of machine would be required to load that zone? 3) How long would it take to load into BIND? I did a quick test. Generating and parsing the zone in text format took about 80s wall time; loading the raw zone file took 30s. In both cases named-checkzone used about 1.25GB RAM. Excellent info. Thank you. What's the specs of the machine you're testing on? TIA Simon signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
