On Jul 31, 2011, at 9:15 AM, Jimmy Hess mysi...@gmail.com wrote:
Is there an RFC specifying precisely what are considered the proper
precautions?
precautions should ideally be enabled in BIND by default.
Not of which I'm aware. I'm happy to contribute to any efforts you or anyone
else are
In message 09d7a1d0-0b13-4570-8891-835ca6568...@arbor.net, Dobbins, Roland
writes:
On Jul 31, 2011, at 9:15 AM, Jimmy Hess mysi...@gmail.com wrote:
Is there an RFC specifying precisely what are considered the proper prec=
autions?
precautions should ideally be enabled in BIND by
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
Named already takes proper precautions by default. Recursive service is
limited to directly connected networks by default. The default
was first changed in 9.4 (2007) which is about to go end-of-life once the
final wrap up release is done.
In message ae105312-3108-4b0b-8445-7116b84ec...@arbor.net, Dobbins, Roland
writes:
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
Named already takes proper precautions by default. Recursive service is =
limited to directly connected networks by default. The default
was first changed
On Aug 1, 2011, at 9:22 AM, Mark Andrews wrote:
And even if DNS/TCP was use by default machines can still get DoS'd because
IP is spoofable.
They can be DDoSed with spoofed or non-spoofed packets, and there are defenses
against such attacks.
Apologies if I was unclear - my point was that
-Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net]
Sent: Friday, July 29, 2011 6:40 PM
To: NANOG list
Subject: Re: DNS DoS ???
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:
my DNS servers were getting slow so I blocked recursive queries for all but
my own
On Sat, 30 Jul 2011, Drew Weaver wrote:
my DNS servers were getting slow so I blocked recursive queries for all
but my own network.
This should be the standard practice. By operating an open recursor,
you lend your DNS server to abuse as a contributor to DNS
reflection/amplification
Dns anycast can in addition to acl help distribute load.
On Jul 30, 2011 9:44 PM, Jon Lewis jle...@lewis.org wrote:
On Sat, 30 Jul 2011, Drew Weaver wrote:
my DNS servers were getting slow so I blocked recursive queries for all
but my own network.
This should be the standard practice. By
I don't think anycast works the way you think it does. It'll distribute load
for single dns servers, but not the case that he is describing.
-j
On Sat, Jul 30, 2011 at 12:01 PM, Alex Nderitu nderitua...@gmail.comwrote:
Dns anycast can in addition to acl help distribute load.
On Jul 30, 2011
With these types of attacks, usually anycast will cause rolling
outages. Anycast gives you failover, which makes sure the attack (and
good) traffic makes it to the next available server to be impaired or
taken offline.
On Jul 30, 2011, at 1:01 PM, Alex Nderitu nderitua...@gmail.com wrote:
Dns
On Sat, Jul 30, 2011 at 11:33 AM, Drew Weaver drew.wea...@thenap.comwrote:
And at this point he may as well just ACL in-front of the recursors to
prevent the traffic from hitting the servers thus reducing load needed to
reject the queries on the servers themselves.
A problem for providers
On Jul 31, 2011, at 3:08 AM, Jimmy Hess wrote:
A good example, would be services such as OpenDNS.
One can argue a) that services like OpenDNS aren't necessarily a Good Thing
when run by those who don't take the proper precautions and b) that OpenDNS in
particular is run by smart, responsible
On Sat, Jul 30, 2011 at 5:53 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jul 31, 2011, at 3:08 AM, Jimmy Hess wrote:
A good example, would be services such as OpenDNS.
One can argue a) that services like OpenDNS aren't necessarily a Good Thing
when run by those who don't take the
my DNS servers were getting slow so I blocked recursive queries for
all but my own network.
Then I was getting so many of these:
ns2 named[5056]: client 78.159.111.190#25345: query (cache)
'isc.org/ANY/IN' denied
that is was still slowing things down. I've since written a script to
watch the
Ping me offline, there are a few other folks who have seen this as well. The
isc.org record is commonly used in reflection attacks because the size of the
record is so large, so the amplification factor is greatly increased. Can you
check to see if +edns=0 was set in the query? That would be
I see this all the time on my personal servers. I finally just told bind
to stop logging it.
On 07/29/2011 02:51 PM, Elliot Finley wrote:
my DNS servers were getting slow so I blocked recursive queries for
all but my own network.
Then I was getting so many of these:
ns2 named[5056]: client
We've been seeing this for several years on and off.
thanks,
-Drew
-Original Message-
From: Elliot Finley [mailto:efinley.li...@gmail.com]
Sent: Friday, July 29, 2011 2:51 PM
To: nanog@nanog.org
Subject: DNS DoS ???
my DNS servers were getting slow so I blocked recursive queries
I've seen this for the same on about 3 sets of nameservers I operate. fail2ban
doing a 72 hour iptables drop rule.
-Original Message-
From: Drew Weaver [mailto:drew.wea...@thenap.com]
Sent: Friday, July 29, 2011 3:01 PM
To: 'Elliot Finley'; nanog@nanog.org
Subject: RE: DNS DoS
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:
my DNS servers were getting slow so I blocked recursive queries for all but
my own network.
This should be the standard practice. By operating an open recursor, you lend
your DNS server to abuse as a contributor to DNS
19 matches
Mail list logo