Hi, all
I deployed a cluster of DNS which combined with a master and two slaves
recently. I opened the response rate limiting function in slaves, which
parameters like below:
rate-limit {
ipv4-prefix-length 32;
responses-per-second 250;
all-per-second 1000;
min-table-size 10
Just one quick one before I run off to lunch with regards to section 2:
- Try to avoid crossing NUMA boundaries. At high throughput, the context
switching and far memory calls kills performance.
Stuart
From: bind-users on behalf of Victoria Risk
Date: Wednesday, 8 July 2020 at 11:58
To: bind
A while ago we created a KB article with tips on how to improve your
performance with our Kea dhcp server. The tips were fairly obvious to our
developers and this was pretty successful. We would like to do something
similar for BIND, provide a dozen or so tips for how to maximize your
throughpu
On Tue, Jul 07, 2020 at 04:32:37PM -0700, Gregory Sloop wrote:
> I've seen reports that only HMAC-MD5 is the only valid key type.
That was the case at one time, but hasn't been for years.
> Is there any (security) reason/implications to use something "better"
> than MD5?
MD5 is broken (as is SHA
So, I've spent some time looking at the man pages and googling without any
definitive answer.
I'm generating some new rndc keys for my bind9 config. (9.11.3 in this
particular case, if it matters.)
rndc-confgen has quite a number of options for the key-type - but I'm not sure
what BIND9 will h
On Tue, 7 Jul 2020, Tony Finch wrote:
Brett Delmage wrote:
On Tue, 7 Jul 2020, Tony Finch wrote:
minimal-any yes;
Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so tha
Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
> >
> > minimal-any yes;
>
> Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so that it will
put an entry in its cache.
On 07 Jul 2020, at 12:06, Michael De Roover wrote:
> On 7/7/20 4:06 PM, Tony Finch wrote:
>
>> max-udp-size 1420;
>> https://dnsflagday.net/2020/
> Interesting, I wasn't aware of this campaign. I don't know if I'm
> knowledgeable enough on UDP to be able to make educated decisions on
On Tue, 7 Jul 2020, Shumon Huque wrote:
Cloudflare themselves now implement the "minimal any" behavior described
in this spec:
https://tools.ietf.org/html/rfc8482
cloudflare.com. 3789 IN HINFO "RFC8482" ""
Gee, that's a pretty minimal answer! Thanks.__
On Tue, Jul 7, 2020 at 2:21 PM Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
>
> > Reduce the size of responses to ANY queries, which are a favourite tool
> of
> > amplification attacks. There's basically no downside to this one, in my
> > opinion, but I'm biased because I implemen
On Tue, 7 Jul 2020, Tony Finch wrote:
Reduce the size of responses to ANY queries, which are a favourite tool of
amplification attacks. There's basically no downside to this one, in my
opinion, but I'm biased because I implemented it.
minimal-any yes;
Why only reduce and not eliminate
On 7/7/20 4:06 PM, Tony Finch wrote:
An auth-only server can also be used for amplification attacks that use
its authoritative zones - these attacks don't have to use recursion.
There are a few ways to mitigate auth-only amplification attacks.
Response rate limiting is very effective. Start off
@lbutlr wrote:
>
> > rate-limit { responses-per-second 10; };
>
> Does that apply to local queries as well (for example, a mail server may
> easily make a whole lot of queries to 127.0.0.1, and rate limiting it
> would at the very least affect logging and could delay mail if the MTA
> cannot v
Not quite on-topic, but consider this an essential element of making my
BIND signing, authoritative server and name service work well.
Does anyone know of or ideally have experience with Canadian
(CIRA-authorized) and ideally _Canadian-based_ .ca registrars that handle
DNSSEC and ipv6 properly
@lbutlr wrote:
>
> The latest surprise was that dnssec-enable yes; is obsolete in Bind 9.16.
`dnssec-enable yes` has been the default since 2007, so that directive has
been useless for quite a long time :-) What changed in 9.16 is that you
now can't turn DNSSEC off. (Specifically, support for cor
On 07 Jul 2020, at 08:06, Tony Finch wrote:
Excellent post, and a nice summary of some best practices.
I have a couple of questions.
> Response rate limiting is very effective. Start off by putting the
> following in your options{} section, and look in the BIND ARM for other
> directives you ca
On 06 Jul 2020, at 17:59, Mark Andrews wrote:
> Nsupdate can normally determine the name of the zone that has to be updated
> so most of the time you don’t need to specify the zone. There are a few
> cases, like when adding delegating NS records or glue to the parent zone you
> have to overrid
Michael De Roover wrote:
>
> Said friend said to me that he tested my authoritative name servers and
> found them to be not vulnerable. [snip] They do not respond to recursive
> queries. It appears that the test of whether a server is "vulnerable" or
> not has to do with this. The command used to
On Tue, Jul 07, 2020 at 03:00:13PM +0200,
Michael De Roover wrote
a message of 46 lines which said:
> The command used to test this was apparently "dig +short
> test.openresolver.com TXT @your.name.server".
ANY instead of TXT may be more efficient (specially with +dnssec), if
the goal is to g
Hello,
Recently I discussed with a friend of mine the idea of NTP and DNS in
the context of denial of service attacks. In NTP this amplification
attack is done with the monlist command (that should honestly never have
been publicly available due to its purpose being pretty much entirely
debug
20 matches
Mail list logo
