[Bug 1202278] Re: bind9 has no rate limit option
I've started a backport request under LP #1218638 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1202278] Re: bind9 has no rate limit option
Fixed in 1:9.9.3.dfsg.P2-3 ** Changed in: bind9 (Ubuntu) Status: Confirmed => Fix Released ** Also affects: bind9 (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: bind9 (Ubuntu Precise) Status: New => Confirmed ** Changed in: bind9 (Ubuntu Precise) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1202278] Re: bind9 has no rate limit option
It might be possible to bring the feature to 12.04 LTS, through one of two mechanisms: The Stable Release Update process https://wiki.ubuntu.com/StableReleaseUpdates is usually used to fix high-impact bugs. I'd be prepared to ask the SRU team to include rate- limiting DNS responses as such an issue. Or, once the feature is in a newer Ubuntu release, you could ask the Backports team to prepare a wholesale backport of the entirely new version of bind9: https://help.ubuntu.com/community/UbuntuBackports Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1202278] Re: bind9 has no rate limit option
It looks like upstream is adding this. Can we get this moved into an LTS after it is out? Should this still be marked "wishlist" since upstream is taking care of it? http://www.marketwire.com/press-release/isc-adds-ddos-defense-module-to- bind-software-1814775.htm -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1202278] Re: bind9 has no rate limit option
That does help, however I've already uninstalled the Ubuntu bind9 version & created my own from source + patch. I think fixing the actual problem versus a firewall workaround is a better solution, personally. I understand that I'd more likely have had a fix if I reported it upstream, but this isn't a new problem as far as my googling shows, & it appears upstream hasn't done anything yet. However, I appreciate your help & response. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1202278] Re: bind9 has no rate limit option
Indeed, this looks useful. However, performing the rate limiting in the kernel using firewall rules can be more efficient and not require any BIND patches. There are three mechanisms I can think of for performing this rate limiting today, without waiting for updates: - Insert iptables hashlimit rules. Here is one suggested rule: -p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \ --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \ --hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse (The rule was suggested by joerg jungermann in another context at http://mailman.powerdns.com/pipermail/pdns-users/2012-September/009235.html ) - Use phreld to dynamically insert DROP rules for hosts that bypass limits: http://www.digitalgenesis.com/software/phrel/manual/phreld.html (Sadly, not packaged for Ubuntu.) I know this option is preferred by some commercial DNS hosts. - Use ufw limit to add some quick limits. Since this is intended first and foremost to prevent OpenSSH brute-force connection attempts, the default limits may be too low for applying to DNS. This might still be appropriate for very small installations, however. Your mileage my vary. I hope this helps. Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1202278] Re: bind9 has no rate limit option
** Changed in: bind9 (Ubuntu) Status: New => Confirmed ** Changed in: bind9 (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs