Recommendations for ISP caching nameserver?
Brad Knowles
brad at stop.mail-abuse.org
Mon Jun 13 19:32:25 UTC 2005
At 10:21 AM -0400 2005-06-13, Rich Parkin wrote:
> The server in question is a single CPU Netra T-1 with 1 GB of memory =
> running Solaris 9 and Bind 9.2.2 (from sunfreeware).
9.2.2 is old. 9.2.5 is the current version for the 9.2.x tree,
and 9.3.1 is the current version for the 9.3.x tree. I would
recommend upgrading to either 9.2.5 or 9.3.1 before going any further.
> It is a recursive, =
> caching nameserver with no authoritative zones and there are no major =
> services running other than Bind. Up until last week, I was running the =
> server with a limit of 3000 recursive clients with no trouble. As of this =
> morning, I've bumped it up to 10,000. (Last week I identified an abuser =
> and got it corrected, but I'm back at square one again today.)
I've never been particularly fond of trying to place arbitrary
restrictions on the BIND nameserver such as limiting the number of
clients, limiting the amount of memory that can be used, etc....
IMO, BIND should be allowed to use as much resources as it can get,
and the other issues will resolve themselves one way or the other --
clients won't get responses so they'll go somewhere else, or whatever.
> I would like to use the allow-recursion and allow-query statements to =
> limit access, but there's a strong probability that we have customers =
> using our DNS servers that aren't actually on our network (please don't =
> ask...) and I don't want to break them if I can help it.
Every single person I know of that has said this kind of thing
and then gone on to place appropriate network restrictions on who
can/can't use their server, has come back to me with incredible tales
of the abuse of their server that was going on without their
knowledge.
My suggestion is to use the allow-query restrictions to limit
things to just your known customers in your known network, and then
if you have other paying customers somewhere else, you can then open
things up to include their IP addresses as well. But take the most
restrictive policy first, and only open as absolutely necessary.
If a server is public recursive/caching there are all sorts of
nasty abuse that spammers can put your servers to, and they can
poison your caches to make it easier to break into any client who
uses your nameservers, or to get their spam through to any client who
uses your nameservers, etc....
Trust me, you really don't want to be the nine-year-old boy who
bends over naked in front of a rioting group of criminals from a
maximum security prison, screaming "rape me". Right now, that's
about the equivalent of what you're doing.
At the very least, you should pull your pants on and get as far
away from that facility as possible. Doing so won't guarantee that
someone else won't come along and rape you anyway, but at the very
least you make a conscious effort to reduce the probability of that
happening.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list