[161850] in North American Network Operators' Group

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Open Resolver Problems

daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Mar 27 14:55:44 2013

From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <A51601D2-6AFC-43B2-8516-7BC74A779578@delong.com>
Date: Wed, 27 Mar 2013 14:52:16 -0400
To: Owen DeLong <owen@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


On Mar 27, 2013, at 11:54 AM, Owen DeLong <owen@delong.com> wrote:

> It's been available in linux for a long time, just not in BIND=85
>=20
> Here is a working ip6tales example:
>=20
> -A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp =
-p udp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW =
-m udp -p udp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m tcp =
-p tcp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW =
-m tcp -p tcp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 =
-m limit --limit 30/minute --limit-burst 90 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 =
-m limit --limit 30/minute --limit-burst 90 -j ACCEPT
>=20
> YMMV and you may wish to provide tighter limits (less than 30 QPM or a =
burst of <90).


I am very concerned about examples such as this possibly being =
implemented by a well intentioned sysadmin or neteng type without =
understanding their query load and patterns.  bind with the rrl patch =
does log when things are happening.  While the data is possible to =
extract from iptables, IMHO it's not quite as easy to audit as a syslog.

- Jared=

home	help	back	first	fref	pref	prev	next	nref	lref	last	post