Tony,
Didn't see this mentioned in the other thread messages, but depending
on what version of BIND you are using you may find a lot of benefit in using
the Response Rate Limiting (RRL) feature.
https://www.isc.org/blogs/bind-9-9-4-released/
We have found it to be VERY effective in reducing a lot of these
nuisance attacks.
Best regards!
John Murtari
On 12.01.2016 18:16, Tony Finch wrote:
> Tomas Hozza <tho...@redhat.com> wrote:
>>
>> Recently I was trying to find a mechanism in BIND that could prevent the
>> server from processing a recursive query for non-existing domains.
>
> Have a look at https://www.isc.org/blogs/tldr-resolver-ddos-mitigation/
>
>> I was thinking about using RPZ with QNAME policy trigger, but this
>> applies only to the responses to queries and still makes the server to
>> try to resolve it.
>
> RPZ has a "qname-wait-recurse no" option.
This is exactly the thing I was looking for.
Thank you very much!
Tomas
> Tony.
>
------------------------------
Message: 8
Date: Wed, 13 Jan 2016 14:45:41 +0100 (CET)
From: sth...@nethelp.no
To: h.rei...@thelounge.net
Cc: bind-users@lists.isc.org
Subject: Re: Bind9 on VMWare
Message-ID: <20160113.144541.41671315.sth...@nethelp.no>
Content-Type: Text/Plain; charset=us-ascii
> > Complexity?
>
> which complexity?
>
> a virtual guest is less complex because you don't need a ton of daemons
> for hardware-monitoring, drivers and what not on the guest
For me the relevant comparison is my ordinary OS vs. my ordinary OS +
VMWare.
> complex are 30 phyiscal servers instead two fat nodes running a
> virtualization cluster with one powerful shared storage
Ayup, lots of eggs in one basket.
I absolutely believe virtualization has its place. I also believe that
"everywhere" is not that place.
bind-users is probably not the right forum to discuss virtualization,
so I'll just leave the discussion at that for my part.
Steinar Haug, Nethelp consulting, sth...@nethelp.no
------------------------------
Message: 9
Date: Wed, 13 Jan 2016 15:02:47 +0100
From: "Philippe Maechler" <pmaechler...@glattnet.ch>
To: <bind-users@lists.isc.org>
Subject: RE: Bind9 on VMWare
Message-ID: <008501d14e0b$1503ea80$3f0bbf80$@glattnet.ch>
>> I'm not sure if it is a good thing to have physical serves, although we
have
>> a vmware cluster in both nodes which has enough capacity (ram, cpu,
disk)?
>> I once read that the vmware boxes have a performance issue with heavy udp
>> based services. Did anyone of you face such an issue? Are your dns
servers
>> all running on physical or virtual boxes?
>
> where did you read that?
I don't remember where I read that. I guess it was on a mailing list where
the OP had issues with either a DHCP or syslog server. It all came down to
the vmware host/switch which was not good enough for udp services. Could be
that this was on Vmware 4.x and got better on 5.x.
But as I said, I can't recall exactly where that was
------------------------------
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
End of bind-users Digest, Vol 2286, Issue 2
*******************************************
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
