RRL and avoiding contributing to DDoS (Was: How to suppress ADDITIONAL SECTION per zone)
Dave Warren
davew at hireahit.com
Fri Jul 5 22:29:19 UTC 2013
On 2013-07-05 07:21, John Wobus wrote:
> I endorse this suggestion: we were faced with such attacks and were
> naturally leery about issues we might run into running a patched bind
> and the additional tuning it could require. Our experience is: the RRL
> patch, used with its default parameters, simply does the job.
I haven't been following the RRL discussions too closely, is this patch
scheduled to be included in BIND9 proper or will it remain a patch?
We generally prefer to avoid "unsupported" (third party) patches,
although I am working on getting an exception through for this
particular situation, but if it's scheduled for inclusion in the nearish
future, we may wait.
In the mean time, would it make sense to set "minimal-responses yes"
proactively, or only if a spike of activity is detected (noting that it
will take us 1-3 days to notice a spike unless it's disruptive to
performance)
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the bind-users
mailing list