Additionally authoritative servers for a zone are supposed to answer queries with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED is the wrong answer of the query name involves zones you serve. Only if you are a recursive only server should you be considering REFUSED. -- M
On Tue, Aug 02, 2022 at 11:16:15PM +0200, Michael De Roover wrote:
! For my servers I'm using iptables rules to achieve ratelimiting. They
! look as follows:
! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --
! update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.2
On 8/2/22 17:30, Nathan Ollerenshaw via bind-users wrote:
On 8/2/22 1:02 PM, Robert Moskowitz wrote:
Recently I have been having problems with my server not responding to
my requests. I thought it was all sorts of issues, but I finally
looked at the logs and:
You're being used as an unwill
I've never actually used RRL, but from the manual, it appears to default to a
/24 prefix length to determine whether IPv4 clients are "similar" enough to be
lumped in the same bucket, for RRL purposes. That might need to be tweaked,
depending on the profile of whoever is attacking/abusing you. T
On 8/2/22 1:02 PM, Robert Moskowitz wrote:
Recently I have been having problems with my server not responding to my
requests. I thought it was all sorts of issues, but I finally looked at
the logs and:
Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205
(.): view external
>> Any best practices on this?
>>
>> I am running bind 9.11.4
>>
>> thanks
> You could think about adding fail2ban to your server with some custom rules.
> Helped us in a similar situation.
You could also take advantage of BIND's built-in Response Rate Limiting which
is explained here:
https:
For my servers I'm using iptables rules to achieve ratelimiting. They
look as follows:
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --
update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255
--rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW
On 8/2/22 2:02 PM, Robert Moskowitz wrote:
Any best practices on this?
It looks like you're dealing with A queries for the root domain. I've
blocked this, and similar queries, via iptables firewall in the past.
Also, make sure that you apply the same BIND ACL to the cache that you
do for q
Dne úterý 2. srpna 2022 22:02:58 CEST, Robert Moskowitz napsal(a):
> Recently I have been having problems with my server not responding to my
> requests. I thought it was all sorts of issues, but I finally looked at
> the logs and:
>
> Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.1
Recently I have been having problems with my server not responding to my
requests. I thought it was all sorts of issues, but I finally looked at
the logs and:
Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205
(.): view external: query (cache) './A/IN' denied
Aug 2 15:47
On 02-Aug-22 13:51, Brown, William wrote:
my guess is that they see dnssec as fragile, have not seen _costly_
dns subversion, and measure a dns outages in thousands of dollars a
minute.
No one wants to be this guy:
http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_201201
18_FINA
On 8/2/22 11:51 AM, Brown, William wrote:
Or perhaps some way of the client side deciding how to handle hard v./
soft failure.
Wouldn't this require the client side being aware of DNSSEC and making
decision based on it?
Maybe it's just me, but I think client application side DNSSEC
validati
On 02-Aug-22 13:18, Peter wrote:
On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
!
! On 02-Aug-22 11:09,bind-users-requ...@lists.isc.org wrote:
!
! > | Before your authoritative view, define a recursive view with the internal
! > ! zones defined as static-stub, match-recursive-only
>>> my guess is that they see dnssec as fragile, have not seen _costly_
>>> dns subversion, and measure a dns outages in thousands of dollars a
>>> minute.
>> No one wants to be this guy:
>> http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_201201
>> 18_FINAL.pdf
>so, to me, a cru
>> my guess is that they see dnssec as fragile, have not seen _costly_
>> dns subversion, and measure a dns outages in thousands of dollars a
>> minute.
> No one wants to be this guy:
> http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf
so, to me, a crucial question
On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
!
! On 02-Aug-22 11:09, bind-users-requ...@lists.isc.org wrote:
!
! > | Before your authoritative view, define a recursive view with the internal
! > ! zones defined as static-stub, match-recursive-only "yes", and a
! > ! server-addre
Hello all
We are getting ready to test Bind 9.18.x. Currently we are running the latest
version of 9.16.x branch.
We have downloaded and successfully installed the jemalloc module on the Server
( RHEL 7.9 OS) and getting ready to compile the latest version of Bind 9.18.x.
Can someone please po
On 02-Aug-22 11:09, bind-users-requ...@lists.isc.org wrote:
| Before your authoritative view, define a recursive view with the internal
! zones defined as static-stub, match-recursive-only "yes", and a
! server-address of localhost.
Uh? Why before?
Because each request attempts to match the
Thank you very much, Ondrej,
There is a KB https://kb.isc.org/docs/bind-memory-consumption-explained
==
Overview
BIND users upgrading from BIND 9.11 versions to BIND 9.16 may notice increased
memory consumption. This article explains in detail how BIND allocates memory
in 9.16, and 9.17/9.18
Hi,
#9.18.5
Configuration summary:
---
Optional features enabled:
Memory allocator: jemalloc
DNSSEC validation active by default (--enable-auto-validation)
--
Dmitri,
Just downloading, building and installing the latest version of jemalloc
like this doesn't mean that BIND will find and use it. BIND has to be
compiled with the correct compiler and linker flags to use this version.
Are you certain BIND is using your installed version?
--
Anand
On 0
Well, then I don’t know the reason for the difference in your case. And I don’t
personally see a compelling reason to investigate a 10% increase in artificial
scenario like this since it apparently doesn’t apply to all scenarios. However,
you are free to do the further investigation yourself.
W
Hi,
Resending ... bad format.
dnf install wget bzip2 gcc make -y
wget
https://github.com/jemalloc/jemalloc/releases/download/5.3.0/jemalloc-5.3.0.tar.bz2
bzip2 -d jemalloc-5.3.0.tar.bz2 && tar -xf jemalloc-5.3.0.tar && cd
jemalloc-5.3.0
./configure
make
make install
reboot -f
Dmitri.
-O
dnf install wget bzip2 gcc make -y
wget
https://github.com/jemalloc/jemalloc/releases/download/5.3.0/jemalloc-5.3.0.tar.bz2
bzip2 -d jemalloc-5.3.0.tar.bz2 && tar -xf jemalloc-5.3.0.tar && cd
jemalloc-5.3.0
./configure
make
make install
reboot -f
-Original Message-
From: Ondřej Surý
Sen
I don’t see jemalloc anywhere in your setup scripts. Preferably use the latest
upstream jemalloc version available.
Ondřej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 2. 8
Hi,
Thank you very much for your feedback, Ondrej.
Sharing the steps. Very simple: configure -> make -> make install. Very simple
configuration. Just the zone file is big. Please, see the attached.
1. I followed the instructions from here
https://bind9.readthedocs.io/en/v9_18_4/chapter10.html
> my guess is that they see dnssec as fragile, have not seen _costly_ dns
> subversion, and measure a dns outages in thousands of dollars a minute.
>randy
No one wants to be this guy:
http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf
Confidentiality Notice: T
On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote:
! You can get the AD flag set, with a bit of extra work. I've done this for
! years.
Thanks for Your message, Timothe.
After investigating the matter, I had figured out a similar approach -
but didn't know if this is a recommended or
Just use /dev/urandom as random device after reading a single byte from
/dev/random to ensure the CSPRNG has been seeded.
The unsuitability of /dev/urandom for cryptographic purposes is just a myth.
You are more likely affected by seeding all the instances from the same seed
saved in the image
On 01-Aug-22 18:29, Grant Taylor wrote:
On 8/1/22 4:21 PM, Greg Choules via bind-users wrote:
Off the top of my head, could it be this?
random-device
...
BIND will need a good source of randomness for crypto operations.
Drive by plug: If it is lack of entropy, try installing and running
On 01-Aug-22 12:15, John W. Blue wrote:
While that extra overhead is true, it is more accurate to say that if
internal clients are talking directly to an authoritative server the
AD flag will not be set. You will only get the AA flag. So there is
nothing to be gained from signing an interna
31 matches
Mail list logo
