<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hey Nico, long time no speak, hope you are well! <span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">You
 still at Efficient IP?</span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">Yes that would be a great idea in theory but in practice it would require a massive infrastructure change for this customer, we'd also have to migrate the anycast IPs to these new nodes (does dnsdist support anycast?),
 and ensure we can still meet the contracted SLAs. Basically it's a lot of work (+ cost) just to "sort out" this Sophos mess.</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I'd rather Sophos did their stuff over a separate TCP or UDP port rather than hijacking DNS, but doubt they will listen to "little old me".
<span>😞</span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"></p>
<p style="margin-top:0;margin-bottom:0">Cheers,</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">Paul</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Nico CARTRON <nicolas@ncartron.org><br>
<b>Sent:</b> 17 May 2018 13:01<br>
<b>To:</b> Paul Roberts<br>
<b>Cc:</b> ML BIND Users<br>
<b>Subject:</b> Re: BIND srtt algorithm not working as expected</font>
<div> </div>
</div>
<meta content="text/html; charset=us-ascii">
<div class="" style="word-wrap:break-word; line-break:after-white-space">Hi Paul,<br class="">
<div class="">
<div class="" style="color:rgb(0,0,0); letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; word-wrap:break-word">
<div class="" style="color:rgb(0,0,0); letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; word-wrap:break-word">
<div class="" style="color:rgb(0,0,0); letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; word-wrap:break-word">
<div class="" style="color:rgb(0,0,0); letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; word-wrap:break-word">
<br class="">
</div>
</div>
</div>
</div>
</div>
<div>
<blockquote type="cite" class="">
<div class="">On 17 May 2018, at 13:46, Paul Roberts <<a href="mailto:paul@callevanetworks.com" class="OWAAutoLink" id="LPlnk156867" previewremoved="true">paul@callevanetworks.com</a>> wrote:</div>
<br class="x_Apple-interchange-newline">
<div class="">
<div id="x_divtagdefaultwrapper" dir="ltr" class="" style="font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<div class="" style="margin-top:0px; margin-bottom:0px">Good grief indeed!</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I would love to implement 'fetches-per-zone' but we need to get them onto BIND 9.11 first, that's a few months away.</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Unfortunately I can't just block this traffic else I'll have the security teams wanting to know why we are compromising their desktop security.</div>
<br class="">
Even 'fetches-per-zone' is a bit contentious, if we are rate limiting and one of those queries happens to be for a malicious file which doesn't get quarantined (because we never got the actionable response code from Sophos) we'll be in big trouble.
<div class=""><br class="">
</div>
<div class="">So we are caught between a rock and a hard place. :-(<br class="">
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<div>Why not putting dnsdist in front of those BIND 9.8, and having it redirect DNS traffic at destination of Sophos to dedicated BIND servers?</div>
<div>And have the other, non Sophos DNS traffic, sent to the current BIND servers?</div>
<div><br class="">
</div>
<div>Cheers,</div>
<div>Nico</div>
<div><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div id="x_divtagdefaultwrapper" dir="ltr" class="" style="font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-size:12pt; font-family:Calibri,Helvetica,sans-serif">
<div class="">
<div class="" style="">
<hr tabindex="-1" class="" style="display:inline-block; width:886.890625px">
<div id="x_divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" class="" style="font-size:11pt"><b class="">From:</b><span class="x_Apple-converted-space"> </span>Tony Finch <<a href="mailto:dot@dotat.at" class="OWAAutoLink" id="LPlnk44740" previewremoved="true">dot@dotat.at</a>><br class="">
<b class="">Sent:</b><span class="x_Apple-converted-space"> </span>17 May 2018 12:34<br class="">
<b class="">To:</b><span class="x_Apple-converted-space"> </span>Paul Roberts<br class="">
<b class="">Cc:</b><span class="x_Apple-converted-space"> </span><a href="mailto:bind-users@lists.isc.org" class="OWAAutoLink" id="LPlnk886240" previewremoved="true">bind-users@lists.isc.org</a><br class="">
<b class="">Subject:</b><span class="x_Apple-converted-space"> </span>Re: BIND srtt algorithm not working as expected</font>
<div class=""> </div>
</div>
<div class="x_BodyFragment"><font size="2" class=""><span class="" style="font-size:11pt">
<div class="x_PlainText">Paul Roberts <<a href="mailto:paul@callevanetworks.com" class="OWAAutoLink" id="LPlnk141959" previewremoved="true">paul@callevanetworks.com</a>> wrote:<br class="">
<br class="">
> After doing some more packet captures, it looks like a lot of the<br class="">
> queries are related to Sophos live protection DNS lookups (lots of<br class="">
> queries for <a href="http://sophosxl.net" class="OWAAutoLink" id="LPlnk543263" previewremoved="true">
sophosxl.net</a>), so there are a lot of queries which don't get<br class="">
> resolved.<br class="">
<br class="">
Good grief.<br class="">
<br class="">
There are a few things you might do to mitigate this idiocy:<br class="">
<br class="">
0. Block <a href="http://sophosxl.net" class="OWAAutoLink" id="LPlnk669394" previewremoved="true">
sophosxl.net</a>. Your colleagues responsible for AV might not<br class="">
   appreciate this :-)<br class="">
<br class="">
1. In BIND 9.11+ there are options `fetches-per-zone` and<br class="">
   `fetches-per-server` for helping a resolver to cope with overloaded<br class="">
   authoritative servers. When you are forwarding you'll have to rely on<br class="">
   fetches-per-zone since fetches-per-server will throttle everything.<br class="">
   I don't know how fetches-per-zone discovers zone cuts or how well that<br class="">
   works in the forwarding case when your resolver is relying on an<br class="">
   upstream to do the iteration.<br class="">
<br class="">
2. Set up sacrificial forwarding IP addresses. These can be additional<br class="">
   addresses on your existing forwarders. Configure your resolvers to<br class="">
   forward queries for <a href="http://sophosxl.net" class="OWAAutoLink" id="LPlnk477146" previewremoved="true">
sophosxl.net</a> to the sacrificial addresses instead<br class="">
   of the usual ones. Then BIND's address database entries used by most<br class="">
   queries won't get polluted by the non-responding servers.<br class="">
<br class="">
You might profitably combine 1. and 2. to make the resolver eagerly drop<br class="">
queries to the sacrificial forwarders.<br class="">
<br class="">
Tony.<br class="">
--<span class="x_Apple-converted-space"> </span><br class="">
f.anthony.n.finch  <<a href="mailto:dot@dotat.at" class="OWAAutoLink" id="LPlnk388051" previewremoved="true">dot@dotat.at</a>> <span class="x_Apple-converted-space"> </span><a href="http://dotat.at/" id="LPlnk504439" class="x_OWAAutoLink" previewremoved="true">http://dotat.at/</a><br class="">
<br class="">
the quest for freedom and justice can never end<br class="">
</div>
</span></font></div>
</div>
</div>
</div>
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important">_______________________________________________</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important">Please
 visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" class="OWAAutoLink" id="LPlnk63671" previewremoved="true">
https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">
<br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important">bind-users
 mailing list</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important"><a href="mailto:bind-users@lists.isc.org" class="OWAAutoLink" id="LPlnk286737" previewremoved="true">bind-users@lists.isc.org</a></span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important"><a href="https://lists.isc.org/mailman/listinfo/bind-users" class="OWAAutoLink" id="LPlnk279325" previewremoved="true">https://lists.isc.org/mailman/listinfo/bind-users</a></span></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</body>
</html>