Hello everyone,
before sending this email I tried do some seaches on this topic, but
no luck so far...so before bothering bind-workers here's my question
I was wondering if a configuration option exists in order to force
bind server to send a "minimal (from size and number of returned
record point
Hello,
DNS is very easy to be attacked.
My named service got 1G or more traffic of attack some time.
How can we take some steps to prevent them?
Thanks
--
Email/Jabber/Gtalk: pa...@riseup.net
Free DNS Hosting with www.DNSbed.com
___
Please visit http
In article ,
Barry Margolin wrote:
> In article ,
> Sam Wilson wrote:
>
> > For a NXDOMAIN response, or NOERROR with an empty answer section, the
> > server should provide the SOA record in the authority section. That SOA
> > is the apex of the zone which doesn't contain the answer record
Hello,
Several RFC's on DNS do state that name servers (not only Bind) should
avoid,
if possible, to send messages that would require the TC bit set in the
reply.
Replies can be stay shorter if some sections (authority/additional) are
not
included in the reply.
I know for sure that DNSSEC related
pa...@riseup.net wrote on 06/27/2012 05:20:32 AM:
> DNS is very easy to be attacked.
Yes it is
> My named service got 1G or more traffic of attack some time.
> How can we take some steps to prevent them?
http://www.google.com/search?q=prevent+DNS+atttack
Confidentiality Notice:
This electro
pangj wrote:
>
> DNS is very easy to be attacked.
> My named service got 1G or more traffic of attack some time.
> How can we take some steps to prevent them?
Incoming or outgoing? A number of people have been having this problem
recently. You might want to join the dns-operations list:
https://
Hi,
Mark you are right saing "When it's possible..."
But I want to address the the situation when the DNS server is made
to limit response on 512 Bytes (i.e. for bind server parameter
udp-max-size 512) and the answer is bigger. (Imagine I have a big TXT
record for example)
As bind up to version
On 26/06/12 17:25, nex6 wrote:
* Phil Mayers [2012-06-26 16:54:55 +0100]:
I am not going to be editing files by hand, we actually have a tool. I am more
concerned about best practices, and how to fix the mess.
eg, say we have about 500 vlans (/24s) and say only 350 have reverse zones.
from wh
On Wed, 27 Jun 2012, Sebastiano Di Paola wrote:
Hello everyone,
before sending this email I tried do some seaches on this topic, but
no luck so far...so before bothering bind-workers here's my question
I was wondering if a configuration option exists in order to force
bind server to send a "mini
* Phil Mayers [2012-06-27 14:29:38 +0100]:
> On 26/06/12 17:25, nex6 wrote:
> >* Phil Mayers [2012-06-26 16:54:55 +0100]:
> >
> >
> >I am not going to be editing files by hand, we actually have a tool. I am
> >more
> >concerned about best practices, and how to fix the mess.
> >
> >eg, say w
On 27/06/12 15:30, nex6 wrote:
so, you *should* have a larger 10.x.x.x zone? *and* smaller
10.x.x.0/24 zones? so i am assuming the workflow would be in this
case, records go in the smaller zones, and the larger zone is the
catchall to prevent leakage?
It is good practice, and polite, to preven
For years, we have used the A records in a zone as a
data base of assigned IP addresses and host names. We have
always done a zone transfer from a slave each time we were about
to assign new IP addresses and this has worked well, but it
occurred to me that it would also work if one could ru
What logging level and channel do I need to configure to see every
NXDOMAIN response generated by the server and the address of the client
which sent the corresponding request?
Thanks,
Ken Traynham
KEN TRAYNHAM
ITS EPA II - COTS
CSC (Contractor)
79 TW Alexander Drive, Building 4201, Research Tr
I would set up 10.in-addr.arpa which is slaved on all internal
nameservers and delegate the /24's as required. 10.in-addr.arpa
won't change much and will be cheaper in the long run than using a
stub zone.
In message <4feb2a8a.4050...@imperial.ac.uk>, Phil Mayers writes:
> On 27/06/12 15:30, nex6
In message , Ken Traynham writes:
>
> What logging level and channel do I need to configure to see every
> NXDOMAIN response generated by the server and the address of the client
> which sent the corresponding request?
There isn't a logging level which will give you this. I would use a
packet l
There is also a patch for BIND which can help:
http://www.redbarn.org/dns/ratelimits
Thank you.
The traffic is incoming, and the incoming IPs are fake, how will the
patch work to stop them?
--
Email/Jabber/Gtalk: pa...@riseup.net
Free DNS Hosting with www.DNSbed.com
_
define "fake" -- if you mean rfc1918, you can block the ranges at ingress,
or with iptables or similar to avoid letting it hit bind at all.
-Original Message-
From: pangj
Date: Wednesday, June 27, 2012 6:36 PM
To: Tony Finch
Cc: "bind-users@lists.isc.org"
Subject: Re: prevent DNS attac
define "fake" -- if you mean rfc1918, you can block the ranges at ingress,
or with iptables or similar to avoid letting it hit bind at all.
Yes I mean source-spoofed DDoS attack and I am reading this document:
http://en.wikipedia.org/wiki/Ingress_filtering
Is there a sample iptables script fo
18 matches
Mail list logo
