BIND srtt algorithm not working as expected

Nico CARTRON nicolas at ncartron.org
Thu May 17 12:01:25 UTC 2018 

Hi Paul,

> On 17 May 2018, at 13:46, Paul Roberts <paul at callevanetworks.com> wrote:
> 
> Good grief indeed!
> 
> I would love to implement 'fetches-per-zone' but we need to get them onto BIND 9.11 first, that's a few months away.
> 
> Unfortunately I can't just block this traffic else I'll have the security teams wanting to know why we are compromising their desktop security.
> 
> Even 'fetches-per-zone' is a bit contentious, if we are rate limiting and one of those queries happens to be for a malicious file which doesn't get quarantined (because we never got the actionable response code from Sophos) we'll be in big trouble.
> 
> So we are caught between a rock and a hard place. :-(

Why not putting dnsdist in front of those BIND 9.8, and having it redirect DNS traffic at destination of Sophos to dedicated BIND servers?
And have the other, non Sophos DNS traffic, sent to the current BIND servers?

Cheers,
Nico


> 
> From: Tony Finch <dot at dotat.at>
> Sent: 17 May 2018 12:34
> To: Paul Roberts
> Cc: bind-users at lists.isc.org
> Subject: Re: BIND srtt algorithm not working as expected
>  
> Paul Roberts <paul at callevanetworks.com> wrote:
> 
> > After doing some more packet captures, it looks like a lot of the
> > queries are related to Sophos live protection DNS lookups (lots of
> > queries for sophosxl.net), so there are a lot of queries which don't get
> > resolved.
> 
> Good grief.
> 
> There are a few things you might do to mitigate this idiocy:
> 
> 0. Block sophosxl.net. Your colleagues responsible for AV might not
>    appreciate this :-)
> 
> 1. In BIND 9.11+ there are options `fetches-per-zone` and
>    `fetches-per-server` for helping a resolver to cope with overloaded
>    authoritative servers. When you are forwarding you'll have to rely on
>    fetches-per-zone since fetches-per-server will throttle everything.
>    I don't know how fetches-per-zone discovers zone cuts or how well that
>    works in the forwarding case when your resolver is relying on an
>    upstream to do the iteration.
> 
> 2. Set up sacrificial forwarding IP addresses. These can be additional
>    addresses on your existing forwarders. Configure your resolvers to
>    forward queries for sophosxl.net to the sacrificial addresses instead
>    of the usual ones. Then BIND's address database entries used by most
>    queries won't get polluted by the non-responding servers.
> 
> You might profitably combine 1. and 2. to make the resolver eagerly drop
> queries to the sacrificial forwarders.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/ <http://dotat.at/>
> 
> the quest for freedom and justice can never end
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180517/270089cb/attachment.html>

More information about the bind-users mailing list