> In article ,
> pangj wrote:
>
>> I have read the document of redbarn RRL for BIND and this NSD RRL:
>> https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
>>
>> I have a question that, since the DDoS to DNS are coming from spoofed
>> IPs. But RRL is
I have read the document of redbarn RRL for BIND and this NSD RRL:
https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
I have a question that, since the DDoS to DNS are coming from spoofed
IPs. But RRL is working based on source IP. So how can it stop the real
life attack?
Thanks.
___
IMO, a resolver will have the ability to get the public key of a ZSK for
validating the signed RR. How will it get this public key?
And, is the usage of a KSK similiar to the CA certificate?
Thanks again.
于 2012-10-17 11:25, Alan Clegg 写道:
On Oct 16, 2012, at 8:17 PM, pangj wrote:
于
于 2012-10-17 11:25, Alan Clegg 写道:
On Oct 16, 2012, at 8:17 PM, pangj wrote:
于 2012-10-17 11:10, Alan Clegg 写道:
No, it means that I haven't inserted the DS record for dnslab.org into the .org
zone.
for DS record's data, is it the public key of ZSK? thanks.
No, it's a
于 2012-10-17 11:10, Alan Clegg 写道:
No, it means that I haven't inserted the DS record for dnslab.org into the .org
zone.
for DS record's data, is it the public key of ZSK? thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
于 2012-10-17 10:54, Mark Andrews 写道:
> There is no DS for udp53.org so there is no secure trust chain.
does this mean .org has not been signed?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
Hi,
$ dig +dnssec udp53.org soa
; <<>> DiG 9.6.1-P2 <<>> +dnssec udp53.org soa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37254
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:
Thanks for all your helps. Have a nice day.
于 2012-10-16 2:02, Chris Buxton 写道:
On Oct 15, 2012, at 6:16 AM, pa...@riseup.net wrote:
no SOA for test.cloudns.tk IMO. see:
You have confused "domain" with "zone".
You have a zone named 'cloudns.tk.'. A zone is also a domain. Within that
domai
3(211.136.192.6)
;; WHEN: Mon Oct 15 21:13:04 2012
;; MSG SIZE rcvd: 96
The SOA is presented in AUTHORITY SECTION, not in ANSWER SECTION, so it's
meaningless.
>
> On Oct 15, 2012, at 3:45 AM, pangj wrote:
>
>> 于 2012-10-15 15:38, Cathy Almond 写道:
>>> On 15/10/12 05:
于 2012-10-15 15:38, Cathy Almond 写道:
On 15/10/12 05:23, pangj wrote:
Hello,
I have setup a wild record for cloudns.tk, the record:
*.cloudns.tk. 300 IN A 209.141.54.207
And I added another A record as this:
s1.test.cloudns.tk. 300 IN A 8.8.8.8
After
Hello,
I have setup a wild record for cloudns.tk, the record:
*.cloudns.tk. 300 IN A 209.141.54.207
And I added another A record as this:
s1.test.cloudns.tk. 300 IN A 8.8.8.8
After adding this record, the record of test.cloudns.tk gets lost, it
does't match
Hello,
do you know what dns software is used by cloudflare?
and how they defend the DDoS against DNS?
thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.is
Should we use the latest 9.9 version of BIND instead of others 9.x?
BIND 9.6-ESV-R7-P3 is the latest production release of BIND
9.6-ESV.
BIND 9.6-ESV is an Extended Support Version of BIND 9.
This document summarizes changes from BIND 9.6-ESV-R6 to BIND
9.6-ESV-R7-P3. Plea
Thanks.
bogon:~ pro$ named -v
BIND 9.7.3-P3
This does have been installed.
于 12-9-8 上午9:08, jeffrey j donovan 写道:
open your terminal.app and type ;
named -v
most likely it is already installed.
else you can download source tarball unpack and compile in a /usr/local/src
./configure
make
make
Hi, I have a macbook pro, just want to install a BIND on it for test
purpose. is there any guide for this? thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists
Do you realy mean 1 GByte?
I dubt, your NS can handel this traffic...
1 Gbits.
I was under attacking that time.
1 Gbits is nothing indeed.
Last year the traffic was about 10 Gbits to my customer's DNS cluster.
--
Email/Jabber/Gtalk: pa...@riseup.net
Free DNS Hosting with www.DNSbed.com
___
define "fake" -- if you mean rfc1918, you can block the ranges at ingress,
or with iptables or similar to avoid letting it hit bind at all.
Yes I mean source-spoofed DDoS attack and I am reading this document:
http://en.wikipedia.org/wiki/Ingress_filtering
Is there a sample iptables script fo
There is also a patch for BIND which can help:
http://www.redbarn.org/dns/ratelimits
Thank you.
The traffic is incoming, and the incoming IPs are fake, how will the
patch work to stop them?
--
Email/Jabber/Gtalk: pa...@riseup.net
Free DNS Hosting with www.DNSbed.com
_
Hello,
DNS is very easy to be attacked.
My named service got 1G or more traffic of attack some time.
How can we take some steps to prevent them?
Thanks
--
Email/Jabber/Gtalk: pa...@riseup.net
Free DNS Hosting with www.DNSbed.com
___
Please visit http
You DO realize that DNS is (mostly) UDP packets, and an attacker (or
in your case, the ADs) can simply send UDP packet floods to kill your
firewall (in your current state), regardless how your DNS server is
configured, even when the DNS server is down?
Once we had the firewall for DNS, when it
named is paranoid. It discards the rest of the response after processing
the CNAME.
thanks Mark, that sounds great.
--
Email/Jabber/Gtalk: pa...@riseup.net
Free DNS Hosting with www.DNSbed.com
___
Please visit https://lists.isc.org/mailman/listinfo
In message<4fda970e.9080...@riseup.net>, pangj writes:
Hi,
If BIND is authoritative for zone a, and is not authoritative for zone
b, but zone b is configured in BIND's zone file, and x.zonea.com is
CNAME'd to y.zoneb.com.
When DNS client queries to this BIND for x.zonea.
Hi,
If BIND is authoritative for zone a, and is not authoritative for zone
b, but zone b is configured in BIND's zone file, and x.zonea.com is
CNAME'd to y.zoneb.com.
When DNS client queries to this BIND for x.zonea.com, it gets the
authoritative answers for both x.zonea.com and y.zoneb.com,
We wrote a Perl script to transparently translate a raw zone file into text, so
all of our old code that assumes that a zone file is in text format wouldn't
die.
We also wrote the perl scripts to map the data from database to zone
file, and also from zone file to database. See www.dnsbed.c
Hello,
I want to make sure that if the authoritative server won't cache anything even
if the authoritative answer from itself? Coz I saw the book Pro DNS and BIND
says: The (authoritative) name server does not cache.
thanks.
Une messagerie gratuite, garantie à vie et des services en plus, ça
Hello,
I got two different forms of AUTHORITY SECTION from the dig, for example,
$ dig mydots.net @ns7.dnsbed.com
; <<>> DiG 9.4.2-P2.1 <<>> mydots.net @ns7.dnsbed.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36520
;; flags: qr aa rd; QUERY
26 matches
Mail list logo
