named tcp dos?
daniel.stirnimann at switch.ch
Thu Aug 2 06:28:49 UTC 2018
> so, i guess there is a named tcp dos going around. using bind9, is
> there an amelioration? or am i misconfigured in some way?
It looks to me that this is a side effect of a very permissive RRL
configuration. My tests with the following command indicate that you
have set responses-per-second to 5.
mdig @188.8.131.52 -f queries.txt
queries.txt contains 40x
I would suggest something like this:
// start rate-limiting if more then X identical
// responses per second, default 0 i.e. unlimited
// credit/penalty WINDOW, default 15
// send TC for every X-th rate-limited response, default 2
Depending on your "max-udp-size" value (default 4096) you may also want
to increase "tcp-clients" setting (default 150).
More information about the bind-users