DDOS attack Bind 9.9 - P2

rohan.henry at cwjamaica.com rohan.henry at cwjamaica.com
Fri May 3 21:18:19 UTC 2013

Understood. I already have ACLs defined. So I can use "rate-limit{exempt-clients{address-match-list}}; " statement to exclude my client addresses from the RRL checks. Thanks.


On Fri, 3 May 2013 20:13:47 GMT
 Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: <rohan.henry at cwjamaica.com>
>> >What if both authoritative and recursive are running on the same
>> >server since RRL does not apply to recursive servers?
>> Found the answer to below.
>> According to isc-tn-2012-1.txt hybrid authority/recursive servers
>> are out of scope.
>I disagree.  What isc-tn-2012-1.txt says is 
>                                      Deliberately open recursive DNS
>   servers, or hybrid authority/recursive servers or server views, are
>   outside the scope of ***THIS DOCUMENT.***  (emphasis added)
>Recursive servers should be closed instead of open to the Internet.
>When a single BIND instance is used for both local recursive service
>and global authoritative service, a good way to close the recursive
>service to the Internet while providing authoritative service to the
>Internet is with two views.  The external view can disable recursion
>and include a rate-limit{} statement to apply RRL to responses to
>external DNS clients.  Another way to close recursion to the Internet
>is to use allow-recursion{address-match-list}; and
>rate-limit{exempt-clients{address-match-list}}; statements in the main
>options statement.
>If you must keep your recursive server open, Internet, then you MUST
>do some sort of rate limiting.  If you cannot do rate limiting that
>is even fancier than RRL such as Google's, then an open recursive
>server with RRL is far better than a naked open recursive DNS server.
>See https://developers.google.com/speed/public-dns/docs/security#rate_limit
>The problem with RRL on recursive servers is that it works.  Any rate
>limiting sufficiently low to minimize the danger of DNS reflection DoS
>attacks including RRL can affect applications such as web browsers and
>SMTP servers (mail receivers) that send bursts of identical DNS requests.
>With RRL, those effects are generally limited to pauses and slow downs
>as affected applications time out and retry.
>Vernon Schryver    vjs at rhyolite.com
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>bind-users mailing list
>bind-users at lists.isc.org

Rohan Henry
Server Administrator
Cable And Wireless Jamaica
Phone (876) 936-4819
Mobile (876) 997-0729

More information about the bind-users mailing list