Re: how to defense against ddos attack to dns?

[Bryan Irvine]

Basically, you have to have a big enough server/cluster of servers, to
absorb an attack.

No real defense from distributed dos.



2009/11/16 MontyRee :
>
> Hello, all.
>
>
> I have operated some dns servers and I'm curious what should I do if
> ddos attck to my dns servers.
>
> So do you know how to defense against dns dddos attack like root server?
>
> Surely, various ddos attack may be occurred.
>
> My idea is..
>
>
> -. filtering 53/udp traffic that the byte is over 512 byte
> -. rate-limit against 53/udp queries
>   (but useless if the attack spoof the source ip)
> -. deny recursion
> -. anycast?
>
>
> Is ther any comments or proposal?
>
>
> Thanks in advance.
>
>
>
>
> _
> 새로운 Windows 7: 일상 작업을 단순화하세요. 여러분에게 맞는 최상의 PC를 찾으세요.
> http://windows.microsoft.com/shop
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: how to defense against ddos attack to dns?

[MontyRee]

Hello, 
I tested some dns dos tool like dnstest(http://www.trsecurity.net/dnstest/)
this program generates 
(1) lots of queries (2) queried domains are randomly (3) source ip can be 
spoofed to the destination.
below is an example(192.168.198.17 is victim) 
07:09:11.658811 IP 167.187.119.211.4500> 192.168.198.17.domain:  2+ A? 
www.aocddv.biz. (32)07:09:11.775809 IP 206.140.182.86.1233> 
192.168.198.17.domain:  2+ A? www.bvthus.org. (32)07:09:11.891780 IP 
157.160.17.164.3454> 192.168.198.17.domain:  2+ A? www.oftinx.net. 
(32)07:09:12.008021 IP 27.71.230.67.56566> 192.168.198.17.domain:  2+ A? 
www.nnqsts.net. (32)07:09:12.123998 IP 202.193.203.54.1320> 
192.168.198.17.domain:  2+ A? www.lpdbxs.biz. (32)07:09:12.240545 IP 
217.53.229.167.22211> 192.168.198.17.domain:  2+ A? www.ahnxuj.biz. 
(32)07:09:12.357514 IP 208.133.39.51.435435> 192.168.198.17.domain:  2+ A? 
www.sdhvmu.org. (32)07:09:12.472896 IP 80.168.228.221.5464> 
192.168.198.17.domain:  2+ A? www.juewou.com. (32)07:09:12.705161 IP 
217.198.77.156.1223> 192.168.198.17.domain:  2+ A? www.vgxaex.org. (32)

My question is 
if so lots of queries are like above, how can I defense the attack?I think that 
just denying the recursion is not sufficient. 
Please share your experiences and opinions.

Thanks.


> To: chulm...@hotmail.com
> CC: bind-us...@isc.org
> From: ma...@isc.org
> Subject: Re: how to defense against ddos attack to dns? 
> Date: Tue, 17 Nov 2009 12:19:53 +1100
> 
> 
> In message , MontyRee writes:
>> 
>> Hello, all.
>>  
>> I have operated some dns servers and I'm curious what should I do if 
>> ddos attck to my dns servers.
>>  
>> So do you know how to defense against dns dddos attack like root server?
>>  
>> Surely, various ddos attack may be occurred.
>>  
>> My idea is..
>>  
>> -. filtering 53/udp traffic that the byte is over 512 byte
>> -. rate-limit against 53/udp queries
>>(but useless if the attack spoof the source ip)
>> -. deny recursion 
>> -. anycast?
>>  
>> Is ther any comments or proposal?
> 
> How you defend against a DoS attack depends on the actual attack
> and what services you are attempting to provide and to whom.  You
> want to minimise collateral damage and some of the methods above
> are likely to introduce collateral damage.
> 
>> Thanks in advance. 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
  
_
새로운 Windows 7: 여러분에게 맞는 최상의 PC를 찾으세요. 자세히 보기.
http://windows.microsoft.com/shop
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Forum Membership

[Doug Barton]

Taylor, Gord wrote:
>  
> The company I work for uses a vendor solution which implements BIND
> under the hood, though it's abstracted with a GUI interface. Knowing
> which bugs may exist in the current release of BIND would be nice to
> know; for example, if it's a feature of BIND we use, we may want to know
> about bugs before upgrading vendor product which makes use of that
> particular version (or even just to quickly identify if the problem we
> experience is a known issue). So, I've considered joining the BIND Forum
> as an Individual, but I'm not a coder, so I don't know what level of
> abstraction is provided by the bug reports, etc
> 
> Can anyone provide feedback or personal experience on whether they've
> found membership worthwhile or not, and what aspects were beneficial (or
> not as beneficial as you'd hoped)?

Speaking as a vendor member of the BIND Forum (on behalf of the
FreeBSD project) we have found membership to be extremely beneficial.
My goals are similar to yours in the sense that I want to make sure
that upcoming releases of BIND will work in our systems. Additionally,
early advisories on vulnerabilities and upcoming release dates for
fixes has been very valuable in terms of advanced planning, resource
allocation, etc. If you feel comfortable with the advisories posted to
the bind-announce list you should not have any problems dealing with
the advisories sent to Forum members.

I would highly recommend someone in your position becoming a member.


hope this helps,

Doug

-- 

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: caching problems with bind 9.4.3

[Doug Barton]

Gil Vidals wrote:
> Hello,
> 
> I have a master and slave running bind 9.4.3,

You should upgrade to version 9.4.3-P3 which has fixes for some
security issues.

> and there is a problem
> with the outside world resolving new domains that I add to my name
> servers. Here is the sequence:
> 
> 1) add new domain
> 2) dig shows matching SOA and correct zone info.

Are you updating and testing all of your name servers? You mention
"master and slave" in 5 below, so I assume you have at least 2.

> 3) wait two days
> 4) check a random name server such as openDNS and results are wrong -
> only about half of their name servers have the correct info.

As another poster mentioned, without specific examples it's really
hard to guide you further.
http://dougbarton.us/DNS/bind-users-FAQ.html#RealNames

> 5) restart named on my master and slave
> 6) re-check openDNS and voila! everything is good.

This is actually quite odd, since in theory opendns would be caching
the wrong answers and restarting your servers would not immediately
cause that information to be updated. We definitely need more specific
information to help you further.


Doug

-- 

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: caching problems with bind 9.4.3

[Warren Kumari]

You haven't provided very much detail (e.g: example domains, your  
nameservers, config files, versions, dig +trace output, etc), but from  
first glance it sounds like your secondaries are not updating until  
you restart named.


When you query a random nameserver there is a 50/50 chance (ok, well  
100/N - where N is the number of auth servers) that they will hit your  
secondary which, it sounds like, doesn't know about the domain yet...


Can you retest and dig against all of your auth servers, making sure  
that they all return correct data?



W
On Nov 20, 2009, at 11:57 AM, Gil Vidals wrote:


Hello,

I have a master and slave running bind 9.4.3, and there is a problem  
with the outside world resolving new domains that I add to my name  
servers. Here is the sequence:


1) add new domain
2) dig shows matching SOA and correct zone info.
3) wait two days
4) check a random name server such as openDNS and results are wrong  
- only about half of their name servers have the correct info.

5) restart named on my master and slave
6) re-check openDNS and voila! everything is good.

Is this a caching issue that requires restarting named daily? What  
changes in the config files can I make to solve this issue?

Gil Vidals, VCP
gvid...@vmracks.com
vmracks.com - ESX Hosting
t. 760.480.4942 f. 760.480.8271



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
I had no shoes and wept.  Then I met a man who had no feet.  So I  
said, "Hey man, got any shoes you're not using?"





smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND Forum Membership

[Taylor, Gord]

 
The company I work for uses a vendor solution which implements BIND
under the hood, though it's abstracted with a GUI interface. Knowing
which bugs may exist in the current release of BIND would be nice to
know; for example, if it's a feature of BIND we use, we may want to know
about bugs before upgrading vendor product which makes use of that
particular version (or even just to quickly identify if the problem we
experience is a known issue). So, I've considered joining the BIND Forum
as an Individual, but I'm not a coder, so I don't know what level of
abstraction is provided by the bug reports, etc

Can anyone provide feedback or personal experience on whether they've
found membership worthwhile or not, and what aspects were beneficial (or
not as beneficial as you'd hoped)?

Thanks in advance for any responses...

Gord Taylor (CISSP, GCIH, GEEK) | Senior Network Analyst, Internet
Technologies | Royal Bank of Canada
___

This e-mail may be privileged and/or confidential, and the sender does not 
waive any related rights and obligations.
Any distribution, use or copying of this e-mail or the information it contains 
by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or 
otherwise) immediately.  

Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce 
pas aux droits et obligations qui s'y rapportent.
Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il 
contient par une personne autre que le (les) destinataire(s) désigné(s) est 
interdite.
Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser 
immédiatement, par retour de courrier électronique ou par un autre moyen.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

caching problems with bind 9.4.3

[Gil Vidals]

Hello,

I have a master and slave running bind 9.4.3, and there is a problem with
the outside world resolving new domains that I add to my name servers. Here
is the sequence:

1) add new domain
2) dig shows matching SOA and correct zone info.
3) wait two days
4) check a random name server such as openDNS and results are wrong - only
about half of their name servers have the correct info.
5) restart named on my master and slave
6) re-check openDNS and voila! everything is good.

Is this a caching issue that requires restarting named daily? What changes
in the config files can I make to solve this issue?

Gil Vidals, VCP
gvid...@vmracks.com
vmracks.com  - ESX Hosting
t. 760.480.4942 f. 760.480.8271
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: manage large dns record

[Stephane Bortzmeyer]

On Thu, Nov 19, 2009 at 03:40:32PM +0700,
 Sokvantha YOUK  wrote 
 a message of 44 lines which said:

> Could you advice me what is the good way to manage large dns record
> in zone file?

You mean a large number of records, not a large single record?

> I'm using bind v9, currently I need to add around 20 000 hostname
> but it is a pain to put them in one single file.

In what way is it a pain? I assume you do not type them by hand :-)
What's the problem with writing a ten-lines script to convert from the
data base where the names currently are to the BIND zone file format?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insecure response BIND 9.7.0b2

[Stephane Bortzmeyer]

On Fri, Nov 20, 2009 at 09:27:35AM +1100,
 Mark Andrews  wrote 
 a message of 34 lines which said:

> There are also firewalls that block DNS/UDP responses bigger 512
> bytes or block EDNS queries/responses 10 years after the
> introduction of EDNS.  There are also middleware that blocks/drops
> DNS/UDP responses that are fragmented.

This tool may help:

http://www.nic.cz/dnssectests/

And this one, too:

https://www.dns-oarc.net/oarc/services/replysizetest
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users