Discuss mailing list

[Stefan Sabolowitsch <Stefan.Sabolowitsch AT felten-group.com>]

@to all
Currently, it is so that one correct patch has to generate for each bind
version.
Last year, i have published the patch for v9.8 here in the list.

Actually it is easy, it is necessary to only fight something with "diff"
and "patch" to the right patch for each bind version creates.
This is more a time issue. But i do of course understand that not everyone
can do this.

Of course, an repo would be ideal. But what do we with the various *nix
(Centos, Ubuntu, FreeBSD etc.)?
For example, i have only FreeBSD for DNS / WWW / FTP service.

And yes, not a "DNS only solution" solves the problem alone.
Important is also a good firewall rules / protection, example (rate /
session limit, anti address sweeping, anti TCP / UDP flood, and so on).
A good rock solid firewall is here elementary.






In our business we use Netscreen FW, but privately i can recommend for an
example "pfsense" http://www.pfsense.org.


if possible also a ids / isp system helps, see here (only DNS rules):
[1:2012728:3] ET CURRENT_EVENTS Known Hostile Domain citi-bank.ru Lookup
[Classification: A Network Trojan was Detected] [Priority: 1]

[1:2016591:5] ET DNS Reply Sinkhole - 46.149.18.14 blacklistthisdomain.com
[Classification: A Network Trojan was Detected] [Priority: 1]

[1:2016102:2] ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
[Classification: A Network Trojan was Detected] [Priority: 1]

[1:2014374:1] ET CURRENT_EVENTS Possible Zeus .info CnC Domain Generation
Algorithm (DGA) Lookup NXDOMAIN Response [Classification: A Network Trojan
was Detected] [Priority: 1]


Regards
Stefan




Am 16.04.13 22:57 schrieb "Jeff Taylor" unter <shdwdrgn AT sourpuss.net>:

>It sounds great, and for many people this would be a good solution...
>Except that from what I'm reading, the only way to get it is to compile
>the bleeding-edge BIND, which most people aren't going to do.
>
>The other issue I see is that this is a BIND-only solution.  What about
>those of us who use dedicated firewalls and don't want the excessive
>traffic flooding our internal networks?  I prefer to stop as much
>garbage as possible at the firewall, then use BIND based solutions as a
>backup to catch whatever else gets through.
>
>
>On 04/16/2013 12:53 AM, Stefan Sabolowitsch wrote:
>> Hi guys.
>> Why do you make your life not something easier?
>> rate-limit and anti-spoof are OK and important, but what really helps is
>> DNS dampening.
>>
>> http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
>>
>> It will be as a plugin in the upcoming release of Bind v10.
>>
>>
>>
>> http://bind10.isc.org/ticket/2840
>>
>> It's really works, look here "5.1k Dampening" requests per second
>> http://www.pic-upload.de/view-18968967/DNS_Dampening.png.html
>>
>>
>> should someone need help, just ask me maybe i can help here.
>>
>>
>> Regards,
>> Stefan
>>
>
>
>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
>