Mitigation of server's load by queries for non-existing domains
jm5903 at att.com
Wed Jan 13 14:12:56 UTC 2016
Didn't see this mentioned in the other thread messages, but depending on what version of BIND you are using you may find a lot of benefit in using the Response Rate Limiting (RRL) feature. https://www.isc.org/blogs/bind-9-9-4-released/
We have found it to be VERY effective in reducing a lot of these nuisance attacks.
On 12.01.2016 18:16, Tony Finch wrote:
> Tomas Hozza <thozza at redhat.com> wrote:
>> Recently I was trying to find a mechanism in BIND that could prevent the
>> server from processing a recursive query for non-existing domains.
> Have a look at https://www.isc.org/blogs/tldr-resolver-ddos-mitigation/
>> I was thinking about using RPZ with QNAME policy trigger, but this
>> applies only to the responses to queries and still makes the server to
>> try to resolve it.
> RPZ has a "qname-wait-recurse no" option.
This is exactly the thing I was looking for.
Thank you very much!
Date: Wed, 13 Jan 2016 14:45:41 +0100 (CET)
From: sthaug at nethelp.no
To: h.reindl at thelounge.net
Cc: bind-users at lists.isc.org
Subject: Re: Bind9 on VMWare
Message-ID: <20160113.144541.41671315.sthaug at nethelp.no>
Content-Type: Text/Plain; charset=us-ascii
> > Complexity?
> which complexity?
> a virtual guest is less complex because you don't need a ton of daemons
> for hardware-monitoring, drivers and what not on the guest
For me the relevant comparison is my ordinary OS vs. my ordinary OS +
> complex are 30 phyiscal servers instead two fat nodes running a
> virtualization cluster with one powerful shared storage
Ayup, lots of eggs in one basket.
I absolutely believe virtualization has its place. I also believe that
"everywhere" is not that place.
bind-users is probably not the right forum to discuss virtualization,
so I'll just leave the discussion at that for my part.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
Date: Wed, 13 Jan 2016 15:02:47 +0100
From: "Philippe Maechler" <pmaechler-ml at glattnet.ch>
To: <bind-users at lists.isc.org>
Subject: RE: Bind9 on VMWare
>> I'm not sure if it is a good thing to have physical serves, although we
>> a vmware cluster in both nodes which has enough capacity (ram, cpu,
>> I once read that the vmware boxes have a performance issue with heavy udp
>> based services. Did anyone of you face such an issue? Are your dns
>> all running on physical or virtual boxes?
> where did you read that?
I don't remember where I read that. I guess it was on a mailing list where
the OP had issues with either a DHCP or syslog server. It all came down to
the vmware host/switch which was not good enough for udp services. Could be
that this was on Vmware 4.x and got better on 5.x.
But as I said, I can't recall exactly where that was
bind-users mailing list
bind-users at lists.isc.org
End of bind-users Digest, Vol 2286, Issue 2
More information about the bind-users