[161868] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Tony Finch)
Wed Mar 27 17:36:28 2013
Date: Wed, 27 Mar 2013 21:33:58 +0000
From: Tony Finch <dot@dotat.at>
cc: nanog@nanog.org
In-Reply-To: <74105DD6-7870-474F-A150-D55C494F5E9F@hopcount.ca>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Joe Abley <jabley@hopcount.ca> wrote:
>
> My assessment is that the implementations I have seen are ready for
> production use, but I think it's understandable given the moving
> goalpoasts that some vendors have not yet promoted the code to be
> included in stable releases.
It is in the current stable release of NSD 3.2.15 though it is a
build-time option. It is in the current release candidate of knot DNS
1.2.0-rc4. It will be in BIND-9.10 which has not yet reached public beta.
Our servers have been abused as reflectors, and we're using the BIND RRL
patch with versions 9.8 and 9.9 to stop the attack traffic.
There are other interim options such as using firewall rate limiting
which is worse than RRL because it is much more likely to hurt legitimate
queries. For example,
http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html
Or you can use a configuration add-on such as bindguard.
http://bindguard.activezone.de
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
