Re: allow-query for a zone

I would use allow-query { 127.0.0.1; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Defense against a client?

Hi, I have a problem with the load on my Bind. Normally it's fine, but from time to time there are clients which causes through a misconfiguration or a failed local service (not intentionally) a very high amount of queries. After finding and informing the responsible person this problem is

Re: Defense against a client?

于 2012-1-16 18:19, Tom Schmitt 写道: My question: Is there any possibility in Bind to give a quoata to a client? e.g. that from a given IP no more than houndred queries per second are allowed and the rest is to be blackholed. That way only the client causing the load would have a problem but

Re: Defense against a client?

2012/1/16 Tom Schmitt tomschm...@gmx.de Hi, I have a problem with the load on my Bind. Normally it's fine, but from time to time there are clients which causes through a misconfiguration or a failed local service (not intentionally) a very high amount of queries. After finding and informing

Re: allow-query for a zone

On 16.01.12 14:50, Jeff Peng wrote: If I just want to disable any client to query for a zone, but keep that zone in the config file (maybe later I will enable it to be accessable), can I just set: allow-query { none; }; in the zone section? afaik you can. According to docs, you can use

Re: 9.9 query log change

On 01/15/2012 08:11 PM, Evan Hunt wrote: Looking at some query log output from BIND 9.9.0rc1, e.g. 15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query: www.playground.test IN A +E

Re: Defense against a client?

Original-Nachricht Datum: Mon, 16 Jan 2012 11:49:46 +0100 Von: Roel Wagenaar r...@wagenaar.nu Betreff: Re: Defense against a client? In this case iptables is your friend. One of my solutions is partly based on this:

Re: 9.9 query log change

On Jan 16 2012, Phil Mayers wrote: On 01/15/2012 08:11 PM, Evan Hunt wrote: Looking at some query log output from BIND 9.9.0rc1, e.g. 15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query:

Re: 9.9 query log change

On 16/01/12 14:13, Chris Thompson wrote: I'm confused. The name being queried is already in the line. Why is it now in there twice? Obviously I'm not understanding something... I think Evan is saying that the change applies to all messages in which the client info appears, not just the query

[patch] UNIX sockets support for lwresd

Hi list, I'm working on Capsicum security framework [1] for the FreeBSD Project. While implementing sandbox mode for some applications like tcpdump, we have noticed that sandboxed applications are no longer able to resolve DNS names. This happens because each DNS resolving is done by making a

Re: 9.9 query log change

IP in parenthesis: It is the destination IP to which the client has sent his query. For example: Useful if you are switching IPs around in your DHCP and you want to make sure all clients have updated their configurations. b. On 16 January 2012 15:19, Phil Mayers p.may...@imperial.ac.uk wrote:

Re: Defense against a client?

* Chuck Anderson: Unfortunately, these sorts of per-IP limiting are going to become more and more inappropriate with the likes of Carrier Grade NATs, since there will be many subscribers sharing a single public IP address. You may end up causing performance problems for legitimate traffic.

Re: 9.9 query log change

On 16/01/12 15:19, Bostjan Skufca wrote: IP in parenthesis: It is the destination IP to which the client has sent his query. No, not that item. That's not new, and is obvious known. The *first* item in parenthesis, right after client#port. ___

Re: Defense against a client?

I suspect that the NAT/PAT thing is at its peak (across the Internet) right now. I expect to see it beginning to dissipate in the coming years with the adoption of IPv6. Jerry On 01/16/12 09:13 AM, Chuck Anderson wrote: Unfortunately, these sorts of per-IP limiting are going to become more

Re: Defense against a client?

On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote: * Chuck Anderson: Unfortunately, these sorts of per-IP limiting are going to become more and more inappropriate with the likes of Carrier Grade NATs, since there will be many subscribers sharing a single public IP address.

Re: 9.9 query log change

15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query: www.playground.test IN A +E (131.111.9.112) the indicated parenthesized item is new, but seems always to be the same as the later query

Re: allow-query for a zone

On Jan 16, 2012, at 1:50 AM, Jeff Peng wrote: Hi, If I just want to disable any client to query for a zone, but keep that zone in the config file (maybe later I will enable it to be accessable), can I just set: Just out of interest, why wouldn't you just comment out the zone stanza?

Re: load balance of DNS

On Jan 13, 2012, at 2:30 PM, Barry Margolin wrote: In article mailman.826.1326465946.68562.bind-us...@lists.isc.org, Simon si...@bk.it.cx wrote: Hi, sure it is. Here a more detailed version: http://www.zytrax.com/books/dns/ch9/rr.html RR usually results in roughly equal load

Re: load balance of DNS

In article mailman.884.1326738053.68562.bind-us...@lists.isc.org, Warren Kumari war...@kumari.net wrote: On Jan 13, 2012, at 2:30 PM, Barry Margolin wrote: In article mailman.826.1326465946.68562.bind-us...@lists.isc.org, Simon si...@bk.it.cx wrote: Hi, sure it is. Here a

Re: load balance of DNS

On 16/01/12 20:52, Barry Margolin wrote: In article mailman.884.1326738053.68562.bind-us...@lists.isc.org, Warren Kumari war...@kumari.net wrote: On Jan 13, 2012, at 2:30 PM, Barry Margolin wrote: In article mailman.826.1326465946.68562.bind-us...@lists.isc.org, Simon si...@bk.it.cx

Re: load balance of DNS

On Mon, Jan 16, 2012 at 2:52 PM, Barry Margolin bar...@alum.mit.edu wrote: One (icky) solution is to hand out more addresses for one server than the otherŠ www.example.com  IN  A  192.168.1.1 www.example.com  IN  A  192.168.1.2 www.example.com  IN  A  192.168.1.3 www.example.com  IN  A  

RE: load balance of DNS

do you propose he specify the ratios with BIND? One (icky) solution is to hand out more addresses for one server than the otherŠ www.example.com IN A 192.168.1.1 www.example.com IN A 192.168.1.2 www.example.com IN A 192.168.1.3 www.example.com IN A 192.168.2.1 Bind

Re: load balance of DNS

On Jan 16, 2012, at 2:58 PM, Todd Snyder wrote: do you propose he specify the ratios with BIND? One (icky) solution is to hand out more addresses for one server than the otherŠ www.example.com IN A 192.168.1.1 www.example.com IN A 192.168.1.2 www.example.com IN A 192.168.1.3

Re: Defense against a client?

In message barmar-8f6f85.14511816012...@news.eternal-september.org, Barry Mar golin writes: In article mailman.880.1326731999.68562.bind-us...@lists.isc.org, Chuck Anderson c...@wpi.edu wrote: On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote: * Chuck Anderson:

Re: allow-query for a zone

于 2012-1-17 1:58, Warren Kumari 写道: Just out of interest, why wouldn't you just comment out the zone stanza? Would cut down on memory usage, load time, etc… I'm sure you have a use case, just a wondering… Well, my dns manage system (dnsbed.com) requires a zone pause feature. When user click