Re: Stopping ddos

2022-08-02 Thread KEVIN DARCY via bind-users
I've never actually used RRL, but from the manual, it appears to default to a /24 prefix length to determine whether IPv4 clients are "similar" enough to be lumped in the same bucket, for RRL purposes. That might need to be tweaked, depending on the profile of whoever is attacking/abusing you.

Re: Resolve any query to same IP address

2021-07-21 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] Dot "." instead of asterisk "*" as the zone name. Remove the "hint" zone, since that doesn't apply when you host your own root zone. You need a proper MNAME for the SOA RR too. - Kevin On Wed, Jul 21, 2021 at 11:18

Re: query-source and listened interfaces

2021-07-13 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] I've done the match-destinations/query-source thing before, but in addition to that, it should theoretically be possible to also use a shared cache between the views, via attach-cache. I've never played with that directive myself, however.

Re: Managing localhost

2021-06-21 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] That chapter doesn't show any PTR records, for the reverse zones of any *public* address range, pointing back to a "localhost" name. It only shows a PTR record in the reverse zone for the 127.0.0/24 private range, which is what enables a reverse lookup

Re: How to return REFUSED

2021-05-05 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] I just checked the ARM, and it denotes that "match-recursive-only" (boolean) still exists for views. So, you might be able to set up a special view with that, as well as a negated match-clients, specifying allow-query { none; }. Put it as the first view,

Re: Bind9 weighted load balancing

2021-04-30 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] Duplicate RRs are suppressed, as per the standards. RFC 2181, Section 5: Each DNS Resource Record (RR) has a label, class, type, and data. It is meaningless for two records to ever have label, class, type and data all equal - servers should

Re: Configuring the location of named .jnl files

2021-04-26 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] Ivan, I've never done the Let's Encrypt thing myself, but from my skim of the documentation, it appears they want you to place a TXT record in a specific part of your domain's namespace hierarchy. I sincerely hope you're not trying to write

Re: Preventing a particular type of nameserver abuse

2021-04-12 Thread Kevin Darcy via bind-users
[ Classification Level: GENERAL BUSINESS ] It's not a "BIND" solution, per se, but if you have a sufficiently-sophisticated IPS (Intrusion Prevention System) you could have it simply drop all queries of a particular QNAME, or any particular combination of QNAME, QTYPE, QCLASS, before those