about DNS RRL
I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the real life attack? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about DNS RRL
In article mailman.424.1350461867.11945.bind-us...@lists.isc.org, pangj pa...@riseup.net wrote: I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the real life attack? You're thinking that the rate limit is intended to protect YOUR server. It's actually to prevent your server from being used as a reflector to attack some OTHER server. The spoofed addresses all point to that server. Sorry I just can't understand that why my server is being used to attack other's servers? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
Hi, $ dig +dnssec udp53.org soa ; DiG 9.6.1-P2 +dnssec udp53.org soa ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 37254 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;udp53.org. IN SOA ;; ANSWER SECTION: udp53.org. 3600IN SOA blox.wetworks.org. alan.clegg.com. 1259962123 86400 3600 2419200 300 udp53.org. 3600IN RRSIG SOA 8 2 3600 20121030214830 20121016204830 48948 udp53.org. eVftM2Iu4Q/pn0AVW3EXYricq2BagrleTAbQvAtbqOOj3UgSzQHwxR/i 2zOTayebAx65K7mDql1qXaXUh7GAj1fmjKiaf1YR4QR1RHg2tV5dFEuP j6bha3QD0YfxS8pPGywsNeLn+6BwM2FrSOKefvc1S/GAv6y9ei/gj8qG 94Y= from the result above, I didn't see a AD flag setted. why? The nameserver in /etc/resolv.conf is 119.147.163.133 which is a stardard BIND. $ dig txt chaos version.bind @119.147.163.133 +short 9.6.1-P2 thanks. 于 2012-10-17 6:31, Alan Clegg 写道: You can still find it at ISC:http://www.isc.org/files/DNSSEC_in_6_minutes.pdf It is a bit long in the tooth. I'll be updating it soon to cover the work done by ISC in BIND 9.9 All are welcome to propose titles for this new work. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
于 2012-10-17 10:54, Mark Andrews 写道: There is no DS for udp53.org so there is no secure trust chain. does this mean .org has not been signed? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
于 2012-10-17 11:10, Alan Clegg 写道: No, it means that I haven't inserted the DS record for dnslab.org into the .org zone. for DS record's data, is it the public key of ZSK? thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
于 2012-10-17 11:25, Alan Clegg 写道: On Oct 16, 2012, at 8:17 PM, pangj pa...@riseup.net wrote: 于 2012-10-17 11:10, Alan Clegg 写道: No, it means that I haven't inserted the DS record for dnslab.org into the .org zone. for DS record's data, is it the public key of ZSK? thanks. No, it's a hash of the KSK. AlanC Thanks. Never deployed DNSSec. Will find a server to give a try. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
IMO, a resolver will have the ability to get the public key of a ZSK for validating the signed RR. How will it get this public key? And, is the usage of a KSK similiar to the CA certificate? Thanks again. 于 2012-10-17 11:25, Alan Clegg 写道: On Oct 16, 2012, at 8:17 PM, pangj pa...@riseup.net wrote: 于 2012-10-17 11:10, Alan Clegg 写道: No, it means that I haven't inserted the DS record for dnslab.org into the .org zone. for DS record's data, is it the public key of ZSK? thanks. No, it's a hash of the KSK. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the wild record
于 2012-10-15 15:38, Cathy Almond 写道: On 15/10/12 05:23, pangj wrote: Hello, I have setup a wild record for cloudns.tk, the record: *.cloudns.tk. 300 IN A 209.141.54.207 And I added another A record as this: s1.test.cloudns.tk. 300 IN A 8.8.8.8 After adding this record, the record of test.cloudns.tk gets lost, it does't match the wild record anymore. dig test.cloudns.tk gets nothing. Can you help explain it? thanks in advance. It's subtle. Wildcards match where there are no labels already. By adding record s1.test.cloudns.tk, you're implicitly creating domain test.cloudns.tk. It's empty, but it exists. But I didn't define a zone test.cloudns.tk (neither NS nor soa defined for it), why this domain exists? Thanks Cathy. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the wild record
no SOA for test.cloudns.tk IMO. see: PromatoMacBook-Pro:~ pro$ dig test.cloudns.tk soa ; DiG 9.7.6-P1 test.cloudns.tk soa ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60320 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.cloudns.tk. IN SOA ;; AUTHORITY SECTION: cloudns.tk. 300 IN SOA ns0.cloudwebdns.com. support.cloudwebdns.com. 1048 7200 1800 604800 300 ;; Query time: 860 msec ;; SERVER: 211.136.192.6#53(211.136.192.6) ;; WHEN: Mon Oct 15 21:13:04 2012 ;; MSG SIZE rcvd: 96 The SOA is presented in AUTHORITY SECTION, not in ANSWER SECTION, so it's meaningless. On Oct 15, 2012, at 3:45 AM, pangj pa...@riseup.net wrote: 于 2012-10-15 15:38, Cathy Almond 写道: On 15/10/12 05:23, pangj wrote: Hello, I have setup a wild record for cloudns.tk, the record: *.cloudns.tk. 300 IN A 209.141.54.207 And I added another A record as this: s1.test.cloudns.tk. 300 IN A 8.8.8.8 After adding this record, the record of test.cloudns.tk gets lost, it does't match the wild record anymore. dig test.cloudns.tk gets nothing. Can you help explain it? thanks in advance. It's subtle. Wildcards match where there are no labels already. By adding record s1.test.cloudns.tk, you're implicitly creating domain test.cloudns.tk. It's empty, but it exists. But I didn't define a zone test.cloudns.tk (neither NS nor soa defined for it), why this domain exists? You created s1.test.cloudns.tk -- when you did this, you automatically created test.cloudns.tk (if you had created a.b.c.d.e.cloudns.tk you would also have created e.cloudns.tk, d.e.couldns.tk, c.d.e.cloudns.tk, b.c.d.e.cloudns.tk). The DNS is basically a tree structure -- in order to have a leaf s1.test.cloudns.tk, there needs to be a branch (test.cloudns.tk) for it to hang on. By adding the s1.test.cloudns.tk leaf you also make the branch exist. There *is* in fact an SOA for test.cloud.tk: dig SOA +nocomment +nostats test.cloudns.tk ; DiG 9.9.2 SOA +nocomment +nostats test.cloudns.tk ;; global options: +cmd ;test.cloudns.tk. IN SOA cloudns.tk. 226 IN SOA ns0.cloudwebdns.com. support.cloudwebdns.com. 1048 7200 1800 604800 300 It is the SOA for clouds.tk. W Thanks Cathy. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- The duke had a mind that ticked like a clock and, like a clock, it regularly went cuckoo. -- (Terry Pratchett, Wyrd Sisters) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the wild record
Thanks for all your helps. Have a nice day. 于 2012-10-16 2:02, Chris Buxton 写道: On Oct 15, 2012, at 6:16 AM, pa...@riseup.net wrote: no SOA for test.cloudns.tk IMO. see: You have confused domain with zone. You have a zone named 'cloudns.tk.'. A zone is also a domain. Within that domain, you have the following subdomains (that you have mentioned): test.cloudns.tk. s1.test.cloudns.tk. *.cloudns.tk. All of these domain names are the apexes of domains. None of those domains are broken out (delegated) as zones (with SOA records). What everyone so far has been trying to tell you is, even though you have no records named 'test.cloudns.tk.', its existence as a domain name is implied by the existence the child, 's1.test.cloudns.tk.'. Therefore, the wildcard will not match queries for those two domain names. Nor will it match any other domain names within those two domains -- you would need A records for the following names to cover all of the names other than s1.test: test.cloudns.tk. *.test.cloudns.tk. *.s1.test.cloudns.tk. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about the wild record
Hello, I have setup a wild record for cloudns.tk, the record: *.cloudns.tk. 300 IN A 209.141.54.207 And I added another A record as this: s1.test.cloudns.tk. 300 IN A 8.8.8.8 After adding this record, the record of test.cloudns.tk gets lost, it does't match the wild record anymore. dig test.cloudns.tk gets nothing. Can you help explain it? thanks in advance. Regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS software used by cloudflare
Hello, do you know what dns software is used by cloudflare? and how they defend the DDoS against DNS? thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6-ESV-R7-P3 is now available
Should we use the latest 9.9 version of BIND instead of others 9.x? BIND 9.6-ESV-R7-P3 is the latest production release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7-P3. Please see the CHANGES file in the source code release for a complete list of all changes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
install BIND on Mac OS X
Hi, I have a macbook pro, just want to install a BIND on it for test purpose. is there any guide for this? thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: install BIND on Mac OS X
Thanks. bogon:~ pro$ named -v BIND 9.7.3-P3 This does have been installed. 于 12-9-8 上午9:08, jeffrey j donovan 写道: open your terminal.app and type ; named -v most likely it is already installed. else you can download source tarball unpack and compile in a /usr/local/src ./configure make make install ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: prevent DNS attack
Do you realy mean 1 GByte? I dubt, your NS can handel this traffic... 1 Gbits. I was under attacking that time. 1 Gbits is nothing indeed. Last year the traffic was about 10 Gbits to my customer's DNS cluster. -- Email/Jabber/Gtalk: pa...@riseup.net Free DNS Hosting with www.DNSbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
prevent DNS attack
Hello, DNS is very easy to be attacked. My named service got 1G or more traffic of attack some time. How can we take some steps to prevent them? Thanks -- Email/Jabber/Gtalk: pa...@riseup.net Free DNS Hosting with www.DNSbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: prevent DNS attack
There is also a patch for BIND which can help: http://www.redbarn.org/dns/ratelimits Thank you. The traffic is incoming, and the incoming IPs are fake, how will the patch work to stop them? -- Email/Jabber/Gtalk: pa...@riseup.net Free DNS Hosting with www.DNSbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: prevent DNS attack
define fake -- if you mean rfc1918, you can block the ranges at ingress, or with iptables or similar to avoid letting it hit bind at all. Yes I mean source-spoofed DDoS attack and I am reading this document: http://en.wikipedia.org/wiki/Ingress_filtering Is there a sample iptables script for that? -- Email/Jabber/Gtalk: pa...@riseup.net Free DNS Hosting with www.DNSbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: limiting number of requests of a single hosts
You DO realize that DNS is (mostly) UDP packets, and an attacker (or in your case, the ADs) can simply send UDP packet floods to kill your firewall (in your current state), regardless how your DNS server is configured, even when the DNS server is down? Once we had the firewall for DNS, when it get bunk of queries from the suspect addresses, it returns truncating message and indicates the client to use TCP for queries. -- Email/Jabber/Gtalk: pa...@riseup.net Free DNS Hosting with www.DNSbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about the non-authoritative CNAME
Hi, If BIND is authoritative for zone a, and is not authoritative for zone b, but zone b is configured in BIND's zone file, and x.zonea.com is CNAME'd to y.zoneb.com. When DNS client queries to this BIND for x.zonea.com, it gets the authoritative answers for both x.zonea.com and y.zoneb.com, certainly y.zoneb.com is a fake one. How DNS client handle this case? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the non-authoritative CNAME
In message4fda970e.9080...@riseup.net, pangj writes: Hi, If BIND is authoritative for zone a, and is not authoritative for zone b, but zone b is configured in BIND's zone file, and x.zonea.com is CNAME'd to y.zoneb.com. When DNS client queries to this BIND for x.zonea.com, it gets the authoritative answers for both x.zonea.com and y.zoneb.com, certainly y.zoneb.com is a fake one. How DNS client handle this case? Thanks. It depends on the client and whether the zones are signed or not and whether the client is validating responses or not. Stub clients will almost always trust the complete answer. For iterative clients it depends on their level of paranoia. Thanks Mark. For a DNS caching only server, for example, BIND, it will validate the response always, is it? -- Email/Jabber/Gtalk: pa...@riseup.net Free DNS Hosting with www.DNSbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the non-authoritative CNAME
named is paranoid. It discards the rest of the response after processing the CNAME. thanks Mark, that sounds great. -- Email/Jabber/Gtalk: pa...@riseup.net Free DNS Hosting with www.DNSbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Verify raw data within slaves on 9.9.x
We wrote a Perl script to transparently translate a raw zone file into text, so all of our old code that assumes that a zone file is in text format wouldn't die. We also wrote the perl scripts to map the data from database to zone file, and also from zone file to database. See www.dnsbed.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
authoritative server is not caching?
Hello, I want to make sure that if the authoritative server won't cache anything even if the authoritative answer from itself? Coz I saw the book Pro DNS and BIND says: The (authoritative) name server does not cache. thanks. Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about AUTHORITY SECTION
Hello, I got two different forms of AUTHORITY SECTION from the dig, for example, $ dig mydots.net @ns7.dnsbed.com ; DiG 9.4.2-P2.1 mydots.net @ns7.dnsbed.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 36520 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydots.net. IN A ;; AUTHORITY SECTION: mydots.net. 3600 IN SOA ns7.dnsbed.com. support.dnsbed.com. 6 10800 3600 604800 3600 ;; Query time: 90 msec ;; SERVER: 58.22.107.162#53(58.22.107.162) ;; WHEN: Thu Jul 7 09:54:07 2011 ;; MSG SIZE rcvd: 86 $ dig www.mydots.net @ns7.dnsbed.com ; DiG 9.4.2-P2.1 www.mydots.net @ns7.dnsbed.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3327 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.mydots.net. IN A ;; ANSWER SECTION: www.mydots.net. 900 IN A 61.144.56.101 ;; AUTHORITY SECTION: mydots.net. 3600 IN NS ns7.dnsbed.com. mydots.net. 3600 IN NS ns8.dnsbed.com. ;; Query time: 90 msec ;; SERVER: 58.22.107.162#53(58.22.107.162) ;; WHEN: Thu Jul 7 09:54:20 2011 ;; MSG SIZE rcvd: 94 what does the two forms of AUTHORITY SECTION mean? Thanks. Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users