require SMTP clients
(mail senders) to infer an implicit MX from derived A or records.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
.
Please see
http://www.redbarn.org/dns/ratelimits
http://lists.redbarn.org/mailman/listinfo/dnsrpz-info
http://lists.redbarn.org/mailman/listinfo/ratelimits
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman
and the proposals to put
B-trees into the DNS wire protocol make only if you assume that rsync
is the only way to distribute DNSBL data and that wildcards cannot be
used in DNSBLs because rbldnsd didn't like them and that rsync is the
only way to distribute DNSBL data.
Vernon Schryverv...@rhyolite.com
the the machinery in any full featured
DNS implementation a dyanamic DB? The term database should not
imply sql or even relational.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
makes little more sense than
protecting a reverse zone.
By the way, how much smaller would that DNSBL be if it could use
wildcards? I suspect a real (as opposed to synthetic) DNSBL has
a lot of repetition in all except the last labels.
Vernon Schryverv...@rhyolite.com
for unrelated reasons.
Major DNSBL providers have years since limited anonymous clients for
business or other reasons. For example, I think Spamhaus limits
anonymous clients to fewer than 3 queries/second.
Vernon Schryverv...@rhyolite.com
___
Please visit
?
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
think something else was broken.
Recall that the design goals of RRL include contining to provide
services to legitimate DNS clients at the same IP address as are
being forged in a DNS reflection DoS attack.
Vernon Schryverv...@rhyolite.com
the link
labeled Patch files for BIND9 on http://www.redbarn.org/dns/ratelimits
Both of those versions are or will be in official BIND releases.
I've lost track of which releases have or will have which of those
two RPZ sets of performance improvements.
Vernon Schryverv...@rhyolite.com
policy zones
is in none of those and so will not be in 9.9.4. My bet would be
on 9.10 along with client IP address triggers and drop and
truncate actions. I think the multiple zone speed-up is in the
subscription-only 9.9.4-S and so will be in 9.9.4-S1.
Vernon Schryverv...@rhyolite.com
and the additional tuning it could require. Our experience is: the RRL
patch, used with its default parameters, simply does the job.
(thanks for the good new.)
See http://www.redbarn.org/dns/ratelimits
Vernon Schryverv...@rhyolite.com
___
Please visit
reflection attack, it can be sending
a lot of bits/second. Some DNS servers are not bothered by few
extra Gbit/sec of DNS output bandwidth, but many are
In other words, as I see them, as DNS reflection mitigation,
minimal-responses yes is like blocking ANY,
just wishful thinking.
Vernon Schryverv
instead?
rpz-nsdomain is wrong. The special RPZ owner labels are rpz-ip,
rpz-nsdname, rpz-nsip, and some day rpz-client-ip.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
the XML patches to add
a date and perhaps extract some version numbers.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
reductions in
network and CPU load during attacks thanks to RRL, but they were not
the intended victims of the attacks.
Vernon Schryverv...@rhyolite.com
Please join me in trying not to feed the troll.
___
Please visit https://lists.isc.org/mailman
checklist for any UDP based protocol. A year+ ago, Paul said
Make it so for BIND9 DNS, and we started hashing out details.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
these rules in the external view on an open resolver:
*. CNAME tpc-only-rpz.
*.mydomain CNAME passthru.rpz.
Like RRL, such ideas not as good as closing the resolver, but less
bad than leaving it unprotected.
Vernon Schryverv...@rhyolite.com
+attack
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
done to BGP sessions
and so forth and so on.
Consider the implications of those facts, as well as the general meaning
of denial of service attack on any Final Ultimate Solution that
requires DDoS victims to send packets to DNS servers.
Vernon Schryverv...@rhyolite.com
.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
of the RRsets.
However, in both cases, the proverb applies.
If wishes were horses, beggars would ride
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
,
but it comes from the same school of security expertise.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
:
For every complex problem there is an answer that is clear,
simple, and wrong.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind
and if so, how
urgently.
And where do I download this patch?
See the links on http://www.redbarn.org/dns/ratelimits
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind
effects are generally limited to pauses and slow downs
as affected applications time out and retry.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
iptables rules that do as good a job as RRL. However, the
common iptable rules that rate limit incoming requests based entirely
on either query types or DNS client IP addresses block ilegitimate
queries and so are distinctly inferior to RRL.
Vernon Schryverv...@rhyolite.com
that repeat DNS requests.
See http://www.redbarn.org/dns/ratelimits
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
.)
I don't know what I did to make the test I tried fail.
Besides, when trying to rewrite based on names, the code uses the
current state of query name (possibly along a CNAME chain) or
ns.name, the name of a relevant name server.
Vernon Schryverv...@rhyolite.com
?q=patch+command
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
with RRL.
Currently there are at least FreeBSD ports and a Red Hat Enterprise
Linux Desktop update. See
https://rhn.redhat.com/errata/RHSA-2013-0550.html
https://bugzilla.redhat.com/show_bug.cgi?id=906312
and
http://www.freebsd.org/ports/dns.html#bind99-9.9.2.1
Vernon Schryverv...@rhyolite.com
probably use BIND9 9.9.3b2.
4. add something like this to named.conf
rate-limit { responses-per-second 5; };
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
using RPZ to trap the malware into
contacting the honeypot server.
Why isn't it both sufficient and better to list the NS servers or
NS servers for the NS servers of the evil domains? Won't NS servers
for the N domains be known, espcially after the first of the N
domains goes active?
Vernon
.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
settings to enable rpz-nsip and rpz-nsdname rules. They are enabled
by default in future released versions of BIND as well as the speed-up
patches that can found by following the link labeled Patch files for
BIND9 on http://www.redbarn.org/dns/ratelimits
Vernon Schryverv...@rhyolite.com
the version
string for the FreeBSD ports.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman
in the
SOA MNAME field), and to any servers listed in the also-notify
option.
If master-only, notifies are only sent for master zones. If
explicit, notifies are sent only to servers explicitly listed
using also-notify. If no, no notifies are sent.
Vernon Schryverv...@rhyolite.com
kinds of reflection DoS attacks.
Many stateful firewalls can also record the source and destination
IP addresses and port numbers of outgoing UDP packets and allow
subsequent incoming UDP packets with source and destination reversed.
This has nothing to do with TCP.
Vernon Schryverv
are irrelevant. They're like those who define spam as that which they
don't do. http://www.rhyolite.com/anti-spam/that-which-we-dont.html
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
://tools.ietf.org/html/draft-hoffman-dane-smime-04
http://www.dmarc.org/draft-dmarc-base-00-02.txt
Is SRV the precedent being followed?
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
that you label very little negative
impact and ignore those hypothetical TXT abuse scaling problems...not
to mention complying with RFC 4408bis.
Whatever is done by vanity domains and by domains that publish ~all
or ?all without _dmarc will remain irrelevant.
Vernon Schryverv...@rhyolite.com
and
TXT records. https://www.rfc-editor.org/rfc/rfc6686.txt
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
in the core must be soon, because
IPv6 has already been baking for a lot longer than 10 years. Besides,
unlike TXT for SPF, IPv4 has real problems in the real world.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman
-2013 00:04:14.447 16-Mar-2013 07:21:07.576 16-Mar-2013 11:06:46.515
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
to be
made without a core file.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind
+file
Gdb would have been handy for looking at named without creating a
core file or disturbing the process by more than what it would see
as a jump in time.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind
the rate-limit category and the querylog option.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
was at
07-Mar-2013 23:11.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
with a Windows thing, I want to use my trusted,
DNSSEC aware resolver. I wanted to use TSIG or SIG, but could find
no way to tell Windows' stub anything about any keys. Tunnelling
was easier than fiddling with BIND on Window, and works fine.
Vernon Schryverv...@rhyolite.com
of your
legitimate domains?
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind
solutions of
https://www.cabforum.org/Guidance-Deprecated-Internal-Names.pdf linked
from that Entrust.net web page mentions DANE or DNSSEC not at all but
does include some less plausible solutions?
Vernon Schryverv...@rhyolite.com
___
Please visit https
) before DNS (while
ignoring the DNS ubber alles crowds),
what is the problem with short local names?
I often use short names inside my network.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
://www.isc.org/software/bind8/security/matrix
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman
server
but fall back to another server.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman
view defined in
bin/named/config.c.
https://www.google.com/search?q=dig+command+web
finds at least three web pages with loose enough parsing to allow not
only simply requests for A records but poking at chaos, so you don't
need to pay for a shell account somewhere or rely on charity.
Vernon
. Figured that the
specific view ones were all that was needed. Now I am upset.
It's not a real view, because that you can't change it except by
editing the BIND source, using the version, hostname, and server-id
options, hiding it as the ARM says, or with default options.
Vernon Schryverv
bug) when I decided to
stop hiding the version I use lest anyone think I don't do what I
advocate with BIND patches.
I don't know whether the bug is in the ARM or the code. If you
pick one, I can argue the other.
Vernon Schryverv...@rhyolite.com
costs some time and effort
and risks breakage.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
such as this.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RRSIG and
NSEC or NSEC3 record types? Or does not not haves EDNS support?
In any case, some naming and shaming seems appropriate. Basic
DNSSEC support (i.e. maybe not yet TLSA or SMIMEA) is a fundamental
checklist item today.
Vernon Schryverv...@rhyolite.com
expect
for holidays? Why isn't there far more noise in the graphs?
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
that might cause
managed key errors. That raises the obvious questions:
- Was the previous version that did not have those errors BIND 9.9.2?
- Was anything changed besides installing the patch in the BIND source
and the rate-limit{} statement in named.conf?
Vernon Schryverv
with the RRL patches. See the link on
http://www.redbarn.org/dns/ratelimits
There is also the RPZ mailing
list at https://lists.isc.org/mailman/listinfo/dnsrpz-interest
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo
as RPZ.
I've long wanted better ways for application code I've written to
adjust resolver choices than whacking /etc/resolv.conf. You can pervert
the _res interface, but it's worse than ugly.
Vernon Schryverv...@rhyolite.com
___
Please visit https
DNSSEC, which
make a local DNS zone useless.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
, and generally scary for
mere humans to handle, and so you'd better buy their patent medicine.
On the other hand, good outfits simply sell competent services, perhaps
including technical support, but always without acting like proverbial
used car and computer saleslime.
Vernon Schryverv...@rhyolite.com
matter because
high temperatures can only be a good thing given the weather.)
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users
exist. I agree that the idea is worth thinking about.
Recent versions of the BIND9 RPZ code has improved logging. On DNS
servers that are not too busy, it might be possible to synthesize
useful RPZ statistics with awk/perl/whatever applied to the RPZ log
category.
Vernon Schryverv
67 matches
Mail list logo
