Public bug reported: It would be nice if the bind9 package for trusty included the --enable- rrl option to mitigate DNS amplification attacks and other DOS style attacks. ISC has already included this in the upstream code and the --enable-rrl option needs to be added to the configure statement.
https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response- Rate-Limiting.html adding the following to /etc/bind/named.conf.options results in an error rate-limit { responses-per-second 5; log-only yes; }; Mar 6 07:28:56 ubuntu named[23914]: loading configuration from '/etc/bind/named.conf' Mar 6 07:28:56 ubuntu named[23914]: /etc/bind/named.conf.options:26: unknown option 'rate-limit' Mar 6 07:28:56 ubuntu named[23914]: loading configuration: failure Mar 6 07:28:56 ubuntu named[23914]: exiting (due to fatal error) Checking named -v does not show the enable-rrl option root@ubuntu:/etc/bind# named -V BIND 9.9.5-2-Ubuntu (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' compiled by GCC 4.8.2 using OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014 using libxml2 version: 2.9.1 ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Patch added: "Patch to modify debian/rules to enable rrl" https://bugs.launchpad.net/bugs/1288823/+attachment/4009933/+files/enable-rrl.diff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1288823 Title: Trusty bind9 RRL To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1288823/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
