<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Good grief indeed!</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I would love to implement 'fetches-per-zone' but we need to get them onto BIND 9.11 first, that's a few months away.</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">Unfortunately I can't just block this traffic else I'll have the security teams wanting to know why we are compromising their desktop security.</p>
<br>
Even 'fetches-per-zone' is a bit contentious, if we are rate limiting and one of those queries happens to be for a malicious file which doesn't get quarantined (because we never got the actionable response code from Sophos) we'll be in big trouble.
<div><br>
</div>
<div>So we are caught between a rock and a hard place. :-(<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Tony Finch <dot@dotat.at><br>
<b>Sent:</b> 17 May 2018 12:34<br>
<b>To:</b> Paul Roberts<br>
<b>Cc:</b> bind-users@lists.isc.org<br>
<b>Subject:</b> Re: BIND srtt algorithm not working as expected</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Paul Roberts <paul@callevanetworks.com> wrote:<br>
<br>
> After doing some more packet captures, it looks like a lot of the<br>
> queries are related to Sophos live protection DNS lookups (lots of<br>
> queries for sophosxl.net), so there are a lot of queries which don't get<br>
> resolved.<br>
<br>
Good grief.<br>
<br>
There are a few things you might do to mitigate this idiocy:<br>
<br>
0. Block sophosxl.net. Your colleagues responsible for AV might not<br>
appreciate this :-)<br>
<br>
1. In BIND 9.11+ there are options `fetches-per-zone` and<br>
`fetches-per-server` for helping a resolver to cope with overloaded<br>
authoritative servers. When you are forwarding you'll have to rely on<br>
fetches-per-zone since fetches-per-server will throttle everything.<br>
I don't know how fetches-per-zone discovers zone cuts or how well that<br>
works in the forwarding case when your resolver is relying on an<br>
upstream to do the iteration.<br>
<br>
2. Set up sacrificial forwarding IP addresses. These can be additional<br>
addresses on your existing forwarders. Configure your resolvers to<br>
forward queries for sophosxl.net to the sacrificial addresses instead<br>
of the usual ones. Then BIND's address database entries used by most<br>
queries won't get polluted by the non-responding servers.<br>
<br>
You might profitably combine 1. and 2. to make the resolver eagerly drop<br>
queries to the sacrificial forwarders.<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <dot@dotat.at> <a href="http://dotat.at/" id="LPlnk504439" class="OWAAutoLink" previewremoved="true">
http://dotat.at/</a><br>
<br>
the quest for freedom and justice can never end<br>
</div>
</span></font></div>
</div>
</div>
</div>
</body>
</html>