[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

Joe Abley <jabley at hopcount.ca> wrote:
> My assessment is that the implementations I have seen are ready for
> production use, but I think it's understandable given the moving
> goalpoasts that some vendors have not yet promoted the code to be
> included in stable releases.

It is in the current stable release of NSD 3.2.15 though it is a
build-time option. It is in the current release candidate of knot DNS
1.2.0-rc4. It will be in BIND-9.10 which has not yet reached public beta.

Our servers have been abused as reflectors, and we're using the BIND RRL
patch with versions 9.8 and 9.9 to stop the attack traffic.

There are other interim options such as using firewall rate limiting
which is worse than RRL because it is much more likely to hurt legitimate
queries. For example,

Or you can use a configuration add-on such as bindguard.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.