Re: allow-query for a zone

I would use allow-query { 127.0.0.1; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Defense against a client?

Hi, I have a problem with the load on my Bind. Normally it's fine, but from time to time there are clients which causes through a misconfiguration or a failed local service (not intentionally) a very high amount of queries. After finding and informing the responsible person this problem is most

Re: Defense against a client?

于 2012-1-16 18:19, Tom Schmitt 写道: My question: Is there any possibility in Bind to give a quoata to a client? e.g. that from a given IP no more than houndred queries per second are allowed and the rest is to be blackholed. That way only the client causing the load would have a problem but not

Re: Defense against a client?

2012/1/16 Tom Schmitt > Hi, > > I have a problem with the load on my Bind. Normally it's fine, but from > time to time there are clients which causes through a misconfiguration or a > failed local service (not intentionally) a very high amount of queries. > After finding and informing the respons

Re: allow-query for a zone

On 16.01.12 14:50, Jeff Peng wrote: If I just want to disable any client to query for a zone, but keep that zone in the config file (maybe later I will enable it to be accessable), can I just set: allow-query { none; }; in the zone section? afaik you can. According to docs, you can use allo

Re: Defense against a client?

"Tom Schmitt" wrote: > Hi, > > I have a problem with the load on my Bind. Normally it's fine, but from time to time there are clients which causes through a misconfiguration or a failed local service (not intentionally) a very high amount of queries. After finding and informing the r

Re: 9.9 query log change

On 01/15/2012 08:11 PM, Evan Hunt wrote: Looking at some query log output from BIND 9.9.0rc1, e.g. 15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query: www.playground.test IN A +E (131.111.9.11

Re: Defense against a client?

Original-Nachricht > Datum: Mon, 16 Jan 2012 11:49:46 +0100 > Von: Roel Wagenaar > Betreff: Re: Defense against a client? > > In this case iptables is your friend. > > One of my solutions is partly based on this: > > http://codingfreak.blogspot.com/2010/01/iptables-rate-limi

Re: 9.9 query log change

On Jan 16 2012, Phil Mayers wrote: On 01/15/2012 08:11 PM, Evan Hunt wrote: Looking at some query log output from BIND 9.9.0rc1, e.g. 15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query: www.

Re: 9.9 query log change

On 16/01/12 14:13, Chris Thompson wrote: I'm confused. The name being queried is already in the line. Why is it now in there twice? Obviously I'm not understanding something... I think Evan is saying that the change applies to all messages in which the client info appears, not just the query

[patch] UNIX sockets support for lwresd

Hi list, I'm working on Capsicum security framework [1] for the FreeBSD Project. While implementing sandbox mode for some applications like tcpdump, we have noticed that sandboxed applications are no longer able to resolve DNS names. This happens because each DNS resolving is done by making a conne

Re: Defense against a client?

On Mon, Jan 16, 2012 at 01:13:44PM +0100, Tom Schmitt wrote: > > Original-Nachricht > > Datum: Mon, 16 Jan 2012 11:49:46 +0100 > > Von: Roel Wagenaar > > Betreff: Re: Defense against a client? > > > > > In this case iptables is your friend. > > > > One of my solutions is part

Re: 9.9 query log change

IP in parenthesis: It is the destination IP to which the client has sent his query. For example: Useful if you are switching IPs around in your DHCP and you want to make sure all clients have updated their configurations. b. On 16 January 2012 15:19, Phil Mayers wrote: > On 16/01/12 14:13, Ch

Re: Defense against a client?

* Chuck Anderson: > Unfortunately, these sorts of per-IP limiting are going to become more > and more inappropriate with the likes of Carrier Grade NATs, since > there will be many subscribers sharing a single public IP address. > You may end up causing performance problems for legitimate traffic.

Re: 9.9 query log change

On 16/01/12 15:19, Bostjan Skufca wrote: IP in parenthesis: It is the destination IP to which the client has sent his query. No, not that item. That's not new, and is obvious & known. The *first* item in parenthesis, right after client#port. ___ Plea

Re: 9.9 query log change

Ah, I see now, dunno, sorry for the noise :) b. On 16 January 2012 16:41, Phil Mayers wrote: > On 16/01/12 15:19, Bostjan Skufca wrote: > >> IP in parenthesis: It is the destination IP to which the client has sent >> his query. >> > > No, not that item. That's not new, and is obvious & known.

Re: Defense against a client?

I suspect that the NAT/PAT thing is at its peak (across the Internet) right now. I expect to see it beginning to dissipate in the coming years with the adoption of IPv6. Jerry On 01/16/12 09:13 AM, Chuck Anderson wrote: > Unfortunately, these sorts of per-IP limiting are going to become more >

Re: Defense against a client?

On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote: > * Chuck Anderson: > > > Unfortunately, these sorts of per-IP limiting are going to become more > > and more inappropriate with the likes of Carrier Grade NATs, since > > there will be many subscribers sharing a single public IP addr

Re: 9.9 query log change

> >>15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): > >>^ > >>query: www.playground.test IN A +E (131.111.9.112) > >> > >>the indicated parenthesized item is new, but seems always to be the same > >>a

Re: 9.9 query log change

On Jan 16, 2012, at 12:05 PM, Evan Hunt wrote: 15-Jan-2012 18:24:45.358 client 131.111.11.47#58644 (www.playground.test): ^ query: www.playground.test IN A +E (131.111.9.112) the indicated parenthesize

Re: allow-query for a zone

On Jan 16, 2012, at 1:50 AM, Jeff Peng wrote: > Hi, > > If I just want to disable any client to query for a zone, but keep that zone > in the config file (maybe later I will enable it to be accessable), can I > just set: Just out of interest, why wouldn't you just comment out the zone stanza?

Re: load balance of DNS

On Jan 13, 2012, at 2:30 PM, Barry Margolin wrote: > In article , > Simon wrote: > >> Hi, >> >> sure it is. >> >> Here a more detailed version: >> http://www.zytrax.com/books/dns/ch9/rr.html > > RR usually results in roughly equal load balancing. He said he wants > one of the addresses to

Re: Defense against a client?

In article , Chuck Anderson wrote: > On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote: > > * Chuck Anderson: > > > > > Unfortunately, these sorts of per-IP limiting are going to become more > > > and more inappropriate with the likes of Carrier Grade NATs, since > > > there will b

Re: load balance of DNS

In article , Warren Kumari wrote: > On Jan 13, 2012, at 2:30 PM, Barry Margolin wrote: > > > In article , > > Simon wrote: > > > >> Hi, > >> > >> sure it is. > >> > >> Here a more detailed version: > >> http://www.zytrax.com/books/dns/ch9/rr.html > > > > RR usually results in roughly equal

Re: load balance of DNS

On 16/01/12 20:52, Barry Margolin wrote: > In article , > Warren Kumari wrote: > >> On Jan 13, 2012, at 2:30 PM, Barry Margolin wrote: >> >>> In article , >>> Simon wrote: >>> Hi, sure it is. Here a more detailed version: http://www.zytrax.com/books/dns/ch9/rr.htm

Re: load balance of DNS

On Mon, Jan 16, 2012 at 2:52 PM, Barry Margolin wrote: >> One (icky) solution is to hand out more addresses for one server than the >> otherŠ >> >> www.example.com  IN  A  192.168.1.1 >> www.example.com  IN  A  192.168.1.2 >> www.example.com  IN  A  192.168.1.3 >> www.example.com  IN  A  192.168.

RE: load balance of DNS

>> do you propose he specify the ratios with BIND? >> >> One (icky) solution is to hand out more addresses for one server than >> the otherŠ >> >> www.example.com IN A 192.168.1.1 >> www.example.com IN A 192.168.1.2 >> www.example.com IN A 192.168.1.3 >> www.example.com IN A 192.168.2

Re: load balance of DNS

On Jan 16, 2012, at 2:58 PM, Todd Snyder wrote: >>> do you propose he specify the ratios with BIND? >>> >>> One (icky) solution is to hand out more addresses for one server than >>> the otherŠ >>> >>> www.example.com IN A 192.168.1.1 >>> www.example.com IN A 192.168.1.2 >>> www.example.c

Re: Defense against a client?

In message , Barry Mar golin writes: > In article , > Chuck Anderson wrote: > > > On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote: > > > * Chuck Anderson: > > > > > > > Unfortunately, these sorts of per-IP limiting are going to become more > > > > and more inappropriate with the

Re: load balance of DNS

In message , Warren Kumari wri tes: > > On Jan 16, 2012, at 2:58 PM, Todd Snyder wrote: > > >>> do you propose he specify the ratios with BIND? > >>> = > > >>> One (icky) solution is to hand out more addresses for one server than = > > >>> the other=8A > >>> = > > >>> www.example.com IN A

Re: allow-query for a zone

于 2012-1-17 1:58, Warren Kumari 写道: Just out of interest, why wouldn't you just comment out the zone stanza? Would cut down on memory usage, load time, etc… I'm sure you have a use case, just a wondering… Well, my dns manage system (dnsbed.com) requires a "zone pause" feature. When user click

Re: allow-query for a zone

In article , Jeff Peng wrote: > 于 2012-1-17 1:58, Warren Kumari 写道: > > Just out of interest, why wouldn't you just comment out the zone stanza? > > > > Would cut down on memory usage, load time, etc… > > > > I'm sure you have a use case, just a wondering… > > Well, my dns manage syst

Re: allow-query for a zone

Well, my dns manage system (dnsbed.com) requires a "zone pause" feature. > When user click the "pause" button, the zone should be stopped for > resolving, but the config and records should be kept. How can you tell the difference? what differenct do you mean? __

Re: [patch] UNIX sockets support for lwresd

This really belongs in bind-workers rather than bind-users. See also below. On 1/16/2012 9:19 AM, Ilya Bakulin wrote: > Hi list, > I'm working on Capsicum security framework [1] for the FreeBSD Project. > While implementing sandbox mode for some applications like tcpdump, we > have noticed that sa

Re: Defense against a client?

Mark Andrews wrote: > >In message , >Barry Mar >golin writes: >> In article , >> Chuck Anderson wrote: >> >> > On Mon, Jan 16, 2012 at 03:41:15PM +, Florian Weimer wrote: >> > > * Chuck Anderson: >> > > >> > > > Unfortunately, these sorts of per-IP limiting are going to >become more >>

Re: Defense against a client?

In message <358ad0a6-b4db-47aa-87f9-b7ef4b86a...@email.android.com>, David Mill er writes: > >Which will more and more be behind CGN especially as DNSSEC take up > >increases. > > If one sets up a infrastructure such that a large number of end users "share > the same fate" through having the same

Re: allow-query for a zone

In article , Jeff Peng wrote: > >> Well, my dns manage system (dnsbed.com) requires a "zone pause" feature. > >> > When user click the "pause" button, the zone should be stopped for > >> > resolving, but the config and records should be kept. > > How can you tell the difference? > > > what d

Re: allow-query for a zone

Whether you set allow-query to none, or remove the zone statement, clients will get an error when they try to query the zone. There is a difference when you develop a web interface for DNS system. A user can "pause" the domain from web interface, if we remove the zone and records from BIND fi