Re: named tcp dos?

> We run about 300 TLD's on our DNS platform and get roughly 5-10% TCP > queries. that is quite a variance > In comparison, we get about 25-30% IPv6 queries. wonder how that compares to others thanks for actual data randy ___ Please visit

RE: named tcp dos?

> -Original Message- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of > Randy Bush > Sent: Friday, 3 August 2018 6:08 AM > > >> ... are there that many folk doing tcp out there? > > All name servers fall back to TCP when they receive truncated replies. > > we

Re: named tcp dos?

> ... are there that many folk doing tcp out there? All name servers fall back to TCP when they receive truncated replies. >>> >>> we know the protocol. [ and we know folk have idiot middleboxen ] >>> >>> what i was asking was the distribution of this in the wild >> >> one word:

Re: named tcp dos?

On Thursday, August 02, 2018 22:12:38 Reindl Harald wrote: > > Am 02.08.2018 um 22:07 schrieb Randy Bush: > >>> ... are there that many folk doing tcp out there? > >> All name servers fall back to TCP when they receive truncated replies. > > > > we know the protocol. [ and we know folk have

BIND 9.11.4 dnstap not capturing updates

Hello BIND users, (my apologies if this gets posted twice, I first sent to bind-us...@isc.org instead of bind-users@lists.isc.org) I am running BIND 9.11.4 on CentOS 7, built with support for dnstap. I am testing capturing of all DNS

Re: named tcp dos?

>> estimate or measure the distribution of the ratio of udp to tcp >> queries on say 100 cctld servers > > bla - 512 bytes are easily exceeded > > more than 10 years ago i also thought i am smart and TCP 53 is only > needed for zone-transfers until i realized that random e-mail errors > where

BIND 9.11.4 dnstap not capturing updates

Hello BIND users, I am running BIND 9.11.4 on CentOS 7, built with support for dnstap. I am testing capturing of all DNS packets, including DNS update packets, but they don't seem to be captured. Here are my named.conf options: dnstap-output file "/tmp/dnstap.output" ; dnstap {

Re: named tcp dos?

On 08/02/2018 04:16 PM, Randy Bush wrote: it is in a contest with ipv6 for non-deployment I read this mail list ALL the time and finally something appears that quite literally made me call over a few guys to point at my screen. Well done. Let's make up a tee-shirt with that on it :

Re: named tcp dos?

... are there that many folk doing tcp out there? >>> All name servers fall back to TCP when they receive truncated replies. >> >> we know the protocol. [ and we know folk have idiot middleboxen ] >> >> what i was asking was the distribution of this in the wild > > one word: DNSSEC i.e.

Re: named tcp dos?

>> ... are there that many folk doing tcp out there? > All name servers fall back to TCP when they receive truncated replies. we know the protocol. [ and we know folk have idiot middleboxen ] what i was asking was the distribution of this in the wild. randy

Re: named tcp dos?

On Thursday, August 02, 2018 12:58:32 Randy Bush wrote: > ... are there that many folk doing tcp out there? > All name servers fall back to TCP when they receive truncated replies. -- Greg Rivers ___ Please visit

Re: named tcp dos?

> mdig @147.28.0.39 -f queries.txt > > queries.txt contains 40x > switch.ch A > > I would suggest something like this: > > rate-limit { >// start rate-limiting if more then X identical >// responses per second, default 0 i.e. unlimited >responses-per-second 25; >

Re: named tcp dos?

Hello Randy, > so, i guess there is a named tcp dos going around. using bind9, is > there an amelioration? or am i misconfigured in some way? It looks to me that this is a side effect of a very permissive RRL configuration. My tests with the following command indicate that you have set