Re: Load balancer for Bind

2016-09-16 Thread bert hubert 
On Fri, Sep 16, 2016 at 02:22:24PM +0100, Phil Mayers wrote:
> I was mainly wondering about the comment:
> 
> """
> dnsdist is still very fresh software. However, we are actively seeking

Hi Phil,

Thanks - that statement was accurate in March 2015 when we posted that item.
I have now replaced it with:

"dnsdist 1.0.0 was released on the 21st of April 2016 at UKNOF34. Packages,
documentation, source code and news can be found on http://dnsdist.org/;

> Anyway, it's a really interesting looking bit of software - I've got a new
> thing on the TODO list to inspect.

Thanks!

Bert
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Load balancer for Bind

2016-09-16 Thread bert hubert 
On Fri, Sep 16, 2016 at 02:03:31PM +0100, Phil Mayers wrote:
> >Sorry for running advertisement here. But please know dnsdist is software
> >neutral, it is not "powerdnsdist".
> 
> I've never come across dnsdist before. Would you describe it as
> production-ready?

Hi Phil,

A large CDN, one of .nl largest hosting providers, several country-sized
telecommunications service providers and most Swiss universities would let
us know if it wasn't.

Your question is justified of course. The history of dnsdist goes back to
2013.  We spent most of 2015 ramping it up, and even as we were doing so it
was already being deployed, pre-1.0.0.

Since we released 1.0.0 at UKNOF 34 https://www.youtube.com/watch?v=5abqhVfJFhg 
we have seen adoption skyrocket, and we have just accumulated enough reasons
to release 1.1.0 shortly. The release notes for beta-1 describe the sort of
things we are working on now
https://blog.powerdns.com/2016/09/01/dnsdist-1-1-0-beta-1-released/

Not a single production crash or incident has been reported in 1.0.0. 

So to answer your question - our users have deployed it at scale, and we are
not aware of any issues you should know about.

http://dnsdist.org/ has more background & links to our mailing list.

Bert
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Load balancer for Bind

2016-09-15 Thread bert hubert 
On Wed, Sep 14, 2016 at 03:41:31PM -0400, Matthew Pounsett wrote:
> > I read something about HAProxy but it does not manage udp connection and
> > the interesting security proxy/balancer DnsDist does not pass original
> > client ip for Bind-DLZ...
> >
> Your best option is something that can do the job statelessly.  As Warren
(...)

> Mostly that means using a routing protocol to do LAN-scope Anycast via
> ECMP.  ISC has a technote that explains how to do it.

Actually, in our not so humble opinion, your best option is both. 

ECMP is good at distributing the pain using some hash of addresses and port
numbers.  But it does nothing about the pain itself.  Also, it does not know
about the health of individual backends.

dnsdist does know, and can also filter many forms of attack without touching
the state table. dnsdist has a fixed amount of state so it won't die from
people trying to overload its state tables. And the state is dimensioned so
it will not be exceeded without forwarding more traffic than your backends
could handle anyhow.

So what we recommend is using dnsdist to balance to your backends, and have
it prefer one backend when all things are equal.  Then run multiple dnsdists
which each prefer a different backend.  And then announce your dnsdist
service addresses a few times over BGP.

Finally, query dnsdist about its drop rates, and if these exceed a certain
level, prepend your BGP announcement so another dnsdist gets the traffic,
unless that too measures drops. If all of them prepend, the pain is spread
out evenly again.

Sorry for running advertisement here. But please know dnsdist is software
neutral, it is not "powerdnsdist".

Bert

> 

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Load balancer for Bind

2016-09-14 Thread bert hubert 
On Wed, Sep 14, 2016 at 06:17:13PM +0200, Job wrote:
> which is the best load balancer for two or more Bind DNS Server, located in 
> the same farm?
> I read something about HAProxy but it does not manage udp connection and the 
> interesting security proxy/balancer DnsDist does not pass original client ip 
> for Bind-DLZ...

Hi Francesco,

dnsdist can transfer the original IP over EDNS Client Subnet (ECS).
http://dnsdist.org/README/ has how this works.

I don't know if BIND can make use of the original IP address though.
PowerDNS geoipbackend can in any case. BIND is also an excellent choice.

Good luck!

Bert (one of the dnsdist authors)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC considering a change to the BIND open source license

2016-06-14 Thread bert hubert 
On Mon, Jun 13, 2016 at 08:57:02PM +, P Vixie wrote:
> This is long overdue. I'm all for it. Vixie

For what it is worth, as open source fellow travellers we discussed this
earlier both with Vicky and Paul, and we are in strong agreement with this
measure to increase the sustainability of great open source development.


Bert
On behalf of PowerDNS

> 
> On June 13, 2016 10:52:15 PM GMT+02:00, Victoria Risk  wrote:
> >Hello BIND users-
> >
> >ISC published BIND under a very permissive open source license
> >
> >(https://www.isc.org/downloads/software-support-policy/isc-license/
> >)
> >nearly two decades ago.  ISC is the organizational steward for BIND; in
> >order to preserve the software for the long term, we are considering a
> >move to the more restrictive Mozilla Public License (MPL 2.0)
> >
> >(https://www.mozilla.org/en-US/MPL/2.0/
> >).
> >
> >The MPL license requires that anyone redistributing the code who has
> >changed it must publish their changes (or pay for an exception to the
> >license). It doesn’t impact anyone who is using the software without
> >redistributing it, nor anyone redistributing it without changes – so
> >most users will not see any change. 
> >
> >In the event we do proceed with the change in license, we will announce
> >this with the 9.11.0 beta and it will take effect with the BIND 9.11.0
> >release.
> >
> >We welcome comments from BIND users, including statements of support or
> >concern.  Email Vicky Risk, Product Manager at vi...@isc.org
> > if you want to discuss privately, Tweet at us at
> >@ISCdotORG , or discuss on
> >bind-users@lists.isc.org.
> >
> >Regards,
> >
> >Vicky Risk, 
> >Product Manager
> >
> >Jeff Osborn, President of ISC, announcing we are considering this
> >change at RIPE72 in Copenhagen May 26th,
> >https://ripe72.ripe.net/archives/video/206
> >.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >___
> >bind-announce mailing list
> >bind-annou...@lists.isc.org
> >https://lists.isc.org/mailman/listinfo/bind-announce
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread bert hubert 
On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote:
> Hello
> I just call to one of the client who do this DDoS and he confirm, he use UBI
> devices
> Anyone know how to block all  query like this: "query 331.206.372.214 IN
> " with random AAA.XXX.YYY.ZZZ address?

Marek, I don't know if BIND does this natively, but the following dnsdist
statement implements this:

addAction(RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$"), 
DropAction())

If you want you could also do:

addAction(AndRule{QTypeRule(pdns.), 
RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$")}, DropAction())

Which limits it to . 

The only other things you need to do are setACL() so dnsdist allows access
to the right IP addresses and newServer("192.168.1.2") to set the IP address
of your actual BIND server.

This would also get you a whole bunch of cool statistics on how well your
server is doing. For more on dnsdist, see http://dnsdist.org/

Bert
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread bert hubert 
On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote:
> Today i saw my bind eat almost 90% of RAM when i check logs I find
> interesting DDoS on my DNS Cluster today:
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212
> IN  + (8X.1X0.Y.Y)

This may be related to
http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940
where there is talk of a Ubiquity exploit which is reported (elsewhere) to
generate such queries.

Bert


> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to
> 8X.1X0.33.0/24 for . IN   ()
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: query: 235.326.031.064
> IN  + (8X.1X0.Y.Y)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: drop response to
> 8X.1X0.33.0/24 for . IN   ()
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: query: 331.206.372.214
> IN  + (8X.1X0.Y.Y)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: slip response to
> 8X.1X0.33.0/24 for . IN   ()
> 
> Looks like IN  query about wrong IPv4 address... i got almost 5000/sec
> Anyone saw this too?
> 
> Best Regards
> Marek
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11 / edns-client-subnet

2016-05-09 Thread bert hubert 
On Mon, May 09, 2016 at 05:24:50PM +0200, Nico CARTRON wrote:
> > Perhaps you should tell us how it works for you, what your testing has 
> > found, and contribute to the development of great open source software? 
> well, I am just starting the tests now, so cannot tell - yet :)
> I will definitely report once I have progressed, but in the meantime, any 
> feedback from others would be appreciated.

Let me comment on my snark a bit before I promise to no longer pollute this
technical list with such remarks.  Any appliance vendor is a net loss of
revenue and reputation for the open source world unless you contribute back.
It does not sustain our software otherwise.

And in fact, by branding BIND (which is a magnificent collection of DNS
functionality, which you ship) as "the most common victim" of security
issues, you are hurting open source. [1] Your non-public sales stories are
worse.

Given that, I found it a bit rich for you (from a non-company email
address!) to ask the community that supplies you with free software to give
you some free testing too.  

It would be great to see some testing from you perhaps. For example, how DID
you achieve 27 million queries/second? 

> BTW Bert, does PowerDNS support it? ;)
> I saw (https://github.com/PowerDNS/pdns/issues/573) that’s it’s on git 
> master, does that mean it’s publicly available?

Yes - see my off list reply.

Bert
(will resume lurking here)

[1] http://www.efficientip.com/hybrid-dns-whitepaper/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.11 / edns-client-subnet

2016-05-09 Thread bert hubert 
On Mon, May 09, 2016 at 04:38:13PM +0200, Nico CARTRON wrote:
> I was wondering whether some folks on the mailing list had a look at the ECS 
> implementation in BIND 9.11,
> and if they had any feedback to share?

Perhaps you should tell us how it works for you, what your testing has
found, and contribute to the development of great open source software?

Thanks!

Bert
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: pre heat cache

2016-02-17 Thread bert hubert 
On Wed, Feb 17, 2016 at 11:31:54AM -0800, William Taylor wrote:
> Is there anyway to pre-heat the cache in bind on startup besides having
> a custom script that did a bunch of queries on top hosts?
> I know you can dump it with rndc but can you load it back ?

One way to achieve this is to have two nameserver and balance them behind
dnsdist with the default 'leastOutstanding' policy. This means that as your
server heats up its cache, it will only progressively get more traffic. This
provides good end-user experience.

http://dnsdist.org/

Preloading a cache has been considered by various implementations and
generally causes more downtime/delay than heating up the cache to the point
it has all relevant entries.

Bert

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users