Discuss mailing list

[Guillaume Parent <gparent AT gparent.org>]

I checked the Bind 9.8.4 (testing repo on debian) contains the rate limiting patch. I will be compiling the bind9 testing package on a stable base and testing it shortly, if the package seems to work fine I will make it available.

On Wed, Apr 17, 2013 at 8:29 AM, mike <mike AT pikeaero.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have not built bind with Dampening yet, I just got the RRL patch
going last night. Will try to deploy an instance of the dampening
patch perhaps tonight.

I am up to my neck in open (and closed) source projects, but if nobody
else will step up to the plate to maintain a Debian style PPA for bind
with Dampening, I could perhaps (reluctantly) take care of getting
that off the ground....<sigh>....it will be for my own good anyway
come time to do an O/S update.....okay.....I'll do an Debian/Ubuntu PPA...

Does the RRL patch need such a PPA as well?

- --Mike

On 04/17/2013 04:35 AM, Stefan Sabolowitsch wrote:
>
> @to all Currently, it is so that one correct patch has to generate
> for each bind version. Last year, i have published the patch for
> v9.8 here in the list.
>
> Actually it is easy, it is necessary to only fight something with
> "diff" and "patch" to the right patch for each bind version
> creates. This is more a time issue. But i do of course understand
> that not everyone can do this.
>
> Of course, an repo would be ideal. But what do we with the various
> *nix (Centos, Ubuntu, FreeBSD etc.)? For example, i have only
> FreeBSD for DNS / WWW / FTP service.
>
> And yes, not a "DNS only solution" solves the problem alone.
> Important is also a good firewall rules / protection, example (rate
> / session limit, anti address sweeping, anti TCP / UDP flood, and
> so on). A good rock solid firewall is here elementary.
>
>
>
>
>
>
> In our business we use Netscreen FW, but privately i can recommend
> for an example "pfsense" http://www.pfsense.org.
>
>
> if possible also a ids / isp system helps, see here (only DNS
> rules): [1:2012728:3] ET CURRENT_EVENTS Known Hostile Domain
> citi-bank.ru Lookup [Classification: A Network Trojan was Detected]
> [Priority: 1]
>
> [1:2016591:5] ET DNS Reply Sinkhole - 46.149.18.14
> blacklistthisdomain.com [Classification: A Network Trojan was
> Detected] [Priority: 1]
>
> [1:2016102:2] ET TROJAN DNS Reply Sinkhole - Microsoft -
> 199.2.137.0/24 [Classification: A Network Trojan was Detected]
> [Priority: 1]
>
> [1:2014374:1] ET CURRENT_EVENTS Possible Zeus .info CnC Domain
> Generation Algorithm (DGA) Lookup NXDOMAIN Response
> [Classification: A Network Trojan was Detected] [Priority: 1]
>
>
> Regards Stefan
>
>
>
>
> Am 16.04.13 22:57 schrieb "Jeff Taylor" unter
> <shdwdrgn AT sourpuss.net>:
>
>> It sounds great, and for many people this would be a good
>> solution... Except that from what I'm reading, the only way to
>> get it is to compile the bleeding-edge BIND, which most people
>> aren't going to do.
>>
>> The other issue I see is that this is a BIND-only solution.  What
>> about those of us who use dedicated firewalls and don't want the
>> excessive traffic flooding our internal networks?  I prefer to
>> stop as much garbage as possible at the firewall, then use BIND
>> based solutions as a backup to catch whatever else gets through.
>>
>>
>> On 04/16/2013 12:53 AM, Stefan Sabolowitsch wrote:
>>> Hi guys. Why do you make your life not something easier?
>>> rate-limit and anti-spoof are OK and important, but what really
>>> helps is DNS dampening.
>>>
>>> http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
>>>
>>> It will be as a plugin in the upcoming release of Bind v10.
>>>
>>>
>>>
>>> http://bind10.isc.org/ticket/2840
>>>
>>> It's really works, look here "5.1k Dampening" requests per
>>> second
>>> http://www.pic-upload.de/view-18968967/DNS_Dampening.png.html
>>>
>>>
>>> should someone need help, just ask me maybe i can help here.
>>>
>>>
>>> Regards, Stefan
>>>
>>
>>
>> -------- You are a member of the OpenNIC Discuss list. You may
>> unsubscribe by emailing
>> discuss-unsubscribe AT lists.opennicproject.org
>>
>
>
>
>
> -------- You are a member of the OpenNIC Discuss list. You may
> unsubscribe by emailing
> discuss-unsubscribe AT lists.opennicproject.org
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRbpW9AAoJEA7EcEr0emgftnUIAJPzuNtoej7JTCgtVGmvPjrP
MZTDG09ICjYwdrViUMI5ITjF9foClauWkeectF6Wh8nHWAfZnMVnNOvDQG37LMYq
8bNX4Av4pyxPIW1UVDdWiifs2/p0mq7rqStvFwh4tMH/Wy+Nh3t9KFWe8VwM9yYp
k7OOeDObJQR4f9tmbHhoP6H8R6wNST4SnivWZVbWQxtZNrr7swHIhXdAOvAz6jOx
XiLvmXnU+m/25pZrrf++7GiwsdydSDD6DfyLlxPEqIg1aZTqrRpx5gCj/cY4DOha
i0pdqeBOSWVS544MZMcZTYOiwI1MFLQAc1b1W8bktbi7uZvJp9Uua5MrlSbfwhk=
=1kGo
-----END PGP SIGNATURE-----

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org