[182933] in North American Network Operators' Group
Re: Exploits start against flaw that could hamstring huge swaths of
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Aug 4 19:34:54 2015
X-Original-To: nanog@nanog.org
Date: Tue, 4 Aug 2015 19:34:51 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: <9C2ACA5A-755D-4FCF-8491-745A1F9111BA@puck.nether.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Aug 04, 2015 at 12:00:32PM -0400, Jared Mauch wrote:
> I recommend using DNSDIST to balance traffic at a protocol level as you can have implementation diversity on the backside.
>
Here's an example dnsdist config you might find helpful:
This sends queries to the first two servers unless
they are for domains in the "nether" pool list. They go to
other servers.
You can restrict access based on the Acl.
newServer("x.x.223.10")
newServer("x.x.223.20")
;setServerPolicy(firstAvailable) -- first server within its QPS limit
setServerPolicy(leastOutstanding)
webserver("0.0.0.0:8083", "AskMe")
addACL("192.168.0.0/22")
addACL("10.0.0.0/16")
addACL("172.16.22.0/24")
setKey("AskMe")
controlSocket("127.0.0.1:1099")
newServer{address="129.250.35.250", pool="nether"}
newServer{address="129.250.35.251", pool="nether"}
newServer{address="8.8.8.8", pool="nether"}
addPoolRule({"ntt.net.", "nether.net."}, "nether")
addPoolRule({"arpa.", "google.", "gmail.com.", "google.com.", "googlemail.com."}, "nether")
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
