[Pdns-users] Botnet news + small Recursor 3.6.0 update
Hi everbody, First let's start with the good news - we've been receiving some great feedback from PowerDNS Recursor 3.6.0 deployments using the 'pdns-distributes-queries' setting. According to 'namebench', we now exceed even on-site Google 8.8.8.8 in perceived performance by a significant margin, while lowering CPU usage dramatically. [1]. Secondly, the botnet mitigation code in Recursor 3.6.0 is holding up well, but we still see A Lot of malicious DNS traffic. To determine exactly which users are attacking your recursor with such traffic, we've enhanced 'dnsscope' (one of our DNS analysis tools) with the --servfail-tree option. This option generates a per-domain suffix list of IP addresses sending servfail-generating traffic. A provisional document for how to benefit from --servfail-tree and use it to configure bulk IP blocking based on ipset can be found on: https://gist.github.com/ahupowerdns/53c9ec191f9b32803392 This also includes links on where to download binary packages of dnsscope. Note by the way that the instructions are not PowerDNS specific, and will also help you protect other nameservers. Good luck if you have any questions, please do not hesitate to contact us! Bert [1] commit 06ea901: make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately halves CPU usage! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] New to PowerDNS
It takes very little time for powerdns to pick up the changes. Adding records is backend specific, but assuming you are using mysql backend (gmysql), you can use the schema at http://doc.powerdns.com/html/generic-mypgsql-backends.html#idp62194400 This will also show you how to insert records. To enable DNSSEC, first set gmysql-dnssec=yes in configuration, then run pdnssec secure-zone your.zone This will create the necessary DNSSEC information for live signing. You can verify the changes with pdnssec show-zone your.zone this will also show you the DS and DNSKEY records you need for upstream. Hi Aki, Confirm, its refreshed a few seconds after i insert the records. For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ? If not, the solution is to run pdnssec secure-zone ZONE in a loop on a cron script, am I right? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)
k...@rice.edu wrote: On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote: For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ? If not, the solution is to run pdnssec secure-zone ZONE in a loop on a cron script, am I right? I do not know about a SQL only solution for MySQL DNSSEC signing, but I know that there is a sample schema for Oracle that includes the needed triggers and functions and that I have a basically complete version of the same for PostgreSQL that I will be submitting to the PDNS folks once we have it vetted for production. Hmm, am I the only one who is concerned about the security of the signing process? Please don't get me wrong. But people are advocating DANE nowadays and aim to completely replace X.509 certs with that. So security of the signed RRs is crucial just like issuing X.509 certs. And yes, I know that it's hard to achieve a higher level of operational security. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users