9.9.10 drives a stake through its heart by its
inclusion of the contents of those patches.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
lear. In the
absense of an explicit MX record, the standards require SMTP clients
(mail senders) to infer an implicit MX from derived A or records.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
and RPZ mailing lists. I've
promised to finish this week.
Please see
http://www.redbarn.org/dns/ratelimits
http://lists.redbarn.org/mailman/listinfo/dnsrpz-info
http://lists.redbarn.org/mailman/listinfo/ratelimits
Vernon Schryverv...@rhyolite.com
_
to be a clue that #3 is not a
real alternative.
My solution is #2 but with real DNS servers with local copies of
DNSBLs maintained with IXFR. There are obvious problems with that,
starting with the tree of authorities for those IXFRs, but I think
it's better than #1 and not as comple
Ls and the proposals to put
B-trees into the DNS wire protocol make only if you assume that rsync
is the only way to distribute DNSBL data and that wildcards cannot be
used in DNSBLs because rbldnsd didn't like them and that rsync is the
only way to distribute DNSBL data.
Ve
use NSEC instead of NSEC3 when signing, since
protecting a DNSBL from zone walking makes little more sense than
protecting a reverse zone.
By the way, how much smaller would that DNSBL be if it could use
wildcards? I suspect a real (as opposed to synthetic) DNSBL has
a lot of repet
as end-user IP
addresses changes, why isn't the the machinery in any full featured
DNS implementation a "dyanamic DB"? The term "database" should not
imply "sql" or even "relational."
Vernon Schryverv...@rhyolite.com
_
ed.
However, that is unlikely to be a worry, because providing DNSBL
services over the open Internet is dubious idea for unrelated reasons.
Major DNSBL providers have years since limited anonymous clients for
business or other reasons. For example, I
em suffered hostname
lookup failures, then I think something else was broken.
Recall that the design goals of RRL include contining to provide
services to legitimate DNS clients at the same IP address as are
being forged in a DNS reflection DoS attack.
Vernon Schryverv...@rhyolite.com
__
spews of spam or SMTP
clients (mail senders) spewing spam or without required DNSBL whitelisting.
A legitimate DNS client that is squelched by RRL will time-out every
other repeated request and (with the default SLIP=2) retry with TCP.
What problems did you see with your mail system and your recu
more
substantial set of RPZ speed improvements for multiple policy zones
is in none of those and so will not be in 9.9.4. My bet would be
on 9.10 along with client IP address triggers and "drop" and
"truncate" actions. I think the multiple zone speed-up is in the
subscription
the BIND RRL patches by following the link
labeled "Patch files for BIND9" on http://www.redbarn.org/dns/ratelimits
Both of those versions are or will be in official BIND releases.
I've lost track of which releases have or will have which of those
two RPZ sets of perform
uot; without RRL DNS
server is participating in a DNS reflection attack, it can be sending
a lot of bits/second. Some DNS servers are not bothered by few
extra Gbit/sec of DNS output bandwidth, but many are
In other words, as I see them, as DNS reflection mitigation,
"minimal-responses yes
a patched bind
> and the additional tuning it could require. Our experience is: the RRL
> patch, used with its default parameters, simply does the job.
(thanks for the good new.)
See http://www.redbarn.org/dns/ratelimits
Vernon Schryverv...@rhyolite.com
sdname'
> should be used instead?
"rpz-nsdomain" is wrong. The special RPZ owner labels are rpz-ip,
rpz-nsdname, rpz-nsip, and some day rpz-client-ip.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listi
I should change the
script that generates that ARM HTML text from the XML patches to add
a date and perhaps extract some version numbers.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
I'm joking.
> Personally I've never understood why RRL wasn't already baked in.
I've been saying for decades that rate limiting should be on the
IESG checklist for any UDP based protocol. A year+ ago, Paul said
"Make it so" for BIND9 DNS, and we started hashing ou
ported drastic reductions in
network and CPU load during attacks thanks to RRL, but they were not
the intended victims of the attacks.
Vernon Schryverv...@rhyolite.com
Please join me in trying not to feed the troll.
___
Please visit https://lists.i
alls allow (often none)--not
to mention what the incoming flood might have done to BGP sessions
and so forth and so on.
Consider the implications of those facts, as well as the general meaning
of "denial of service attack" on any Final Ultimate Solution that
req
e.com/search?q=tcp+syn+attack
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
of participants.
It might be helped by including anti-reflection rules in other RPZ
products.
The RPZ "TCP-only" policy might be used in private kludges. Consider
these rules in the external view on an open resolver:
*. CNAME tpc-only-rpz.
*.mydomain CNAME pass
downstream neighbors stop doing CNAME
lookups as well.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
nd abused by attackers
and filtered by operators based on dubious assumptions.
Filtering ANY is not as bad is blocking all ICMP or blocking TCP/53,
but it comes from the same school of security "expertise."
Vernon Schryverv...@rhyolite.com
ask for ANY, MX, A, and ,
but some of the time the ANY would have all of the RRsets.
However, in both cases, the proverb applies.
"If wishes were horses, beggars would ride"
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.
not only get
MX, A, and , but also TXT, SRV, SPF, DNSKEY, and any others as
well as RRSIGs for everything.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind
ocking DNS ANY or SMTP <> fit the old saying by H. L. Mencken:
For every complex problem there is an answer that is clear,
simple, and wrong.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind
sts.
With RRL, those effects are generally limited to pauses and slow downs
as affected applications time out and retry.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bi
, how
urgently.
> And where do I download this patch?
See the links on http://www.redbarn.org/dns/ratelimits
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-u
is still so rare that finding 1,000,000 DNS server IP
addresses with large amplification requires more effort than other
reflection mechanisms.
Vernon Schryverv...@rhyolite.com
P.S. Maybe there should be an FAQ somewhere, because it seems as if
I'v
as good of job.
That is widely known to be false in general. In principle one could
write iptables rules that do as good a job as RRL. However, the
common iptable rules that rate limit incoming requests based entirely
on either query types or DNS client IP addresses block ilegitimate
querie
bcause RRL can slow down browsers, SMTP servers
(mail receivers), and other applications that repeat DNS requests.
See http://www.redbarn.org/dns/ratelimits
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listin
IND and the RPZ/RRL patches should wait for BIND releases with RRL.
Currently there are at least FreeBSD ports and a Red Hat Enterprise
Linux Desktop update. See
https://rhn.redhat.com/errata/RHSA-2013-0550.html
https://bugzilla.redhat.com/show_bug.cgi?id=906312
and
http://www.freebsd.org/po
gle.com/search?q=patch+command
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
*.subdomain.domain.de.)
I don't know what I did to make the test I tried fail.
Besides, when trying to rewrite based on names, the code uses the
current state of query name (possibly along a CNAME chain) or
ns.name, the name of a relevant name server.
agement solution, rather than using RPZ to trap the malware into
> contacting the honeypot server.
Why isn't it both sufficient and better to list the NS servers or
NS servers for the NS servers of the evil domains? Won't NS servers
for the N domains be known, espcially after the fir
l them. I would probably use BIND9 9.9.3b2.
4. add something like this to named.conf
rate-limit { responses-per-second 5; };
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscrib
erwise.
Previous versions of the RPZ mechanism in BIND required ./configure
settings to enable rpz-nsip and rpz-nsdname rules. They are enabled
by default in future released versions of BIND as well as the speed-up
patches that can found by following the link labeled "Patch fil
uld RPZ work in this case?
This is some more complete text from the 9.8.4-P1 ARM without patches:
By default, the actions encoded in an RPZ are applied
only to queries that ask for recursion (RD=1).
That default can be changed for a single RPZ or all RPZs in a view
with a recursiv
ludd the version
string for the FreeBSD ports.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
s (except the master server identified in the
SOA MNAME field), and to any servers listed in the also-notify
option.
If master-only, notifies are only sent for master zones. If
explicit, notifies are sent only to servers explicitly listed
using also-notify. If no, no
nd mechanism prevents outsiders from
originating TCP connections, but does not protect against using the
local system for some kinds of reflection DoS attacks.
Many stateful firewalls can also record the source and destination
IP addresses and port numbers of outgoing UDP packets and allow
subsequ
s. They can't
understand that evil is as evil does and that their claimed motives
are irrelevant. They're like those who define spam as that which they
don't do. http://www.rhyolite.com/anti-spam/that-which-we-dont.html
Vernon Schryverv...@rhyolite.com
fanf-dane-smtp-04
https://tools.ietf.org/html/draft-hoffman-dane-smime-04
http://www.dmarc.org/draft-dmarc-base-00-02.txt
Is SRV the precedent being followed?
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/b
as many others have done.
They will care about the costs that you label "very little negative
impact" and ignore those hypothetical TXT abuse scaling problems...not
to mention complying with RFC 4408bis.
Whatever is done by vanity domains and by domains that publish ~all
or ?all w
quot;
Your flag day for turning off IPv4 in the core must be soon, because
IPv6 has already been baking for a lot longer than 10 years. Besides,
unlike TXT for SPF, IPv4 has real problems in the real world.
Vernon Schryverv...@rhyolite.com
___
Ple
ything
specifically about SenderID and read only about popularity of SPF and
TXT records. https://www.rfc-editor.org/rfc/rfc6686.txt
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
See
https://www.google.com/search?q=create+core+file
Gdb would have been handy for looking at named without creating a
core file or disturbing the process by more than what it would see
as a jump in time.
Vernon Schryverv...@rhyolite.com
___
Pl
be
made without a core file.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
:26:50.262 08-Mar-2013 07:27:13.176 08-Mar-2013 07:33:29.203
08-Mar-2013 10:07:05.829 08-Mar-2013 11:18:09.837 15-Mar-2013 22:52:02.969
16-Mar-2013 00:04:14.447 16-Mar-2013 07:21:07.576 16-Mar-2013 11:06:46.515
Vernon Schryverv...@rhyolite.com
___
ilsafe against leaks (perhaps rewriting to NXDOMAIN).
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
M) describing"
http://www.redbarn.org/dns/ratelimits as I suggested last week,
then you should find the "rate-limit" category and the querylog option.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/list
r-2013 00:17 GMT.
There are zillions of successful transfers, and the last was at
07-Mar-2013 23:11.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
course, suitably restricted to answering only 127.0.0.1 or ::1)
When traveling with a Windows thing, I want to use my trusted,
DNSSEC aware resolver. I wanted to use TSIG or SIG, but could find
no way to tell Windows' stub anything about any keys. Tunnelling
was easi
d the Windows equivalent) before DNS (while
ignoring the DNS ubber alles crowds),
what is the problem with short local names?
I often use short names inside my network.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailma
;recommended solutions" of
https://www.cabforum.org/Guidance-Deprecated-Internal-Names.pdf linked
from that Entrust.net web page mentions DANE or DNSSEC not at all but
does include some less plausible "solutions"?
Vernon Schryverv...@rhyolite.com
_
ate, secret sub-domain of one of your
legitimate domains?
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ee http://www.redbarn.org/dns/ratelimits
If RRL is too radical or can't be installed immediately, I'd still
get away from BIND8. See https://www.isc.org/software/bind/security
and https://www.isc.org/software/bind8/security/matrix
Vernon Schryverv...@rhyolite.com
___
S server
but fall back to another server.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-alpha with the rrl and rpz2
patches. I found that feature (or perhap bug) when I decided to
stop hiding the version I use lest anyone think I don't do what I
advocate with BIND patches.
I don't know whether the bug is in the ARM or the code. If you
pick one,
section. Figured that the
> specific view ones were all that was needed. Now I am upset.
It's not a real view, because that you can't change it except by
editing the BIND source, using the version, hostname, and server-id
options, hiding it as the ARM says, or with defa
a shell account somewhere or rely on charity.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
6
and DNSSEC, but I've not used them. I could switch, but even when
the old registrar cooperates, switching costs some time and effort
and risks breakage.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/
nspf.org/FAQ/Forwarding is unambigous about
the interaction of -all with mailing lists such as this.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mail
tor
and control their DKIM and SPF authenticators and check inbox placement
rates at "(bulk mail) receivers" such as AOL, Comcast, etc.
DMARC is also unintentionally great for showing the old "use SPF to
protect yourself from spammers" to be the marketing nonsense and cult
non
omains,
Tucows/Opensrs said "Please try not ask us do that again soon."
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@
the dips and bumps you'd expect
for holidays? Why isn't there far more noise in the graphs?
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-user
and
NSEC or NSEC3 record types? Or does not not haves EDNS support?
In any case, some naming and shaming seems appropriate. Basic
DNSSEC support (i.e. maybe not yet TLSA or SMIMEA) is a fundamental
checklist item today.
Vernon Schryverv...@r
ght cause
managed key errors. That raises the obvious questions:
- Was the previous version that did not have those errors BIND 9.9.2?
- Was anything changed besides installing the patch in the BIND source
and the rate-limit{} statement in named.conf?
Vernon Schryverv...@rhy
time I notice a problem with a
non-trivial domain, those responsible will already be on the job and
I would only an irritating user or luser. They will already have been
alerted by their monitors as well as hordes of other lusers.
In other words, when did you last alert stra
main were working. It's hard to build or fix
things with a wrecking ball.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
effect can
be had by with separate resolvers or a resolver that lies only when
asked on some ports or IP addresses.
BIND views are just as much about lying as RPZ.
I've long wanted better ways for application code I've written to
adjust r
e with the RRL patches. See the link on
http://www.redbarn.org/dns/ratelimits
There is also the RPZ mailing
list at https://lists.isc.org/mailman/listinfo/dnsrpz-interest
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/ma
t union would be using DNSSEC, which
make a local DNS zone useless.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
Internet
in general are too complicated, dangerous, and generally scary for
mere humans to handle, and so you'd better buy their patent medicine.
On the other hand, good outfits simply sell competent services, perhaps
including technical support, but always without acting like proverbial
low tire.
(cue discussion with wife 2 mornings later when I noticed the flat
tire about the "flame (sic)" idiot light that she'd been watching since
before the trip to the dealer and that obviously didn't matter because
high temperatures can only be a good thing given the weat
ach policy zone, but those statistics don't
exist. I agree that the idea is worth thinking about.
Recent versions of the BIND9 RPZ code has improved logging. On DNS
servers that are not too busy, it might be possible to synthesize
useful RPZ statistics with awk/perl/whatever applied to th
76 matches
Mail list logo
