Discuss mailing list

["Alex M (Coyo)" <coyo AT darkdna.net>]

Would these DNS dampening, rate-limiting and anti-spoofing techniques work with PowerDNS?

Obviously, Snort IDS, and Shoreline Firewall, SELinux and AppArmor are all good, and disabling SU (use sudo only) and using a makejail chroot jail for every service (including bind or pdns, whichever) would be wise, however

what can you do in terms of dampening, rate-limiting and other anti-amplification precautions can you take with powerdns?

On 04/17/2013 02:50 PM, Guillaume Parent wrote:

I checked the Bind 9.8.4 (testing repo on debian) contains the rate limiting patch. I will be compiling the bind9 testing package on a stable base and testing it shortly, if the package seems to work fine I will make it available.

On Wed, Apr 17, 2013 at 8:29 AM, mike <mike AT pikeaero.com> wrote:

I have not built bind with Dampening yet, I just got the RRL patch
going last night. Will try to deploy an instance of the dampening
patch perhaps tonight.

On 04/17/2013 04:35 AM, Stefan Sabolowitsch wrote:
>
> And yes, not a "DNS only solution" solves the problem alone.
> Important is also a good firewall rules / protection, example (rate
> / session limit, anti address sweeping, anti TCP / UDP flood, and
> so on). A good rock solid firewall is here elementary.
>
> In our business we use Netscreen FW, but privately i can recommend
> for an example "pfsense" http://www.pfsense.org.
>
>
> if possible also a ids / isp system helps
>
> Am 16.04.13 22:57 schrieb "Jeff Taylor" unter
> <shdwdrgn AT sourpuss.net>:
>
>> It sounds great, and for many people this would be a good
>> solution... Except that from what I'm reading, the only way to
>> get it is to compile the bleeding-edge BIND, which most people
>> aren't going to do.
>>
>> On 04/16/2013 12:53 AM, Stefan Sabolowitsch wrote:
>>> Hi guys. Why do you make your life not something easier?
>>> rate-limit and anti-spoof are OK and important, but what really
>>> helps is DNS dampening.