Recommendations for ISP caching nameserver?

Brad Knowles brad at stop.mail-abuse.org
Mon Jun 13 19:32:25 UTC 2005 

At 10:21 AM -0400 2005-06-13, Rich Parkin wrote:

>  The server in question is a single CPU Netra T-1 with 1 GB of memory =
>  running Solaris 9 and Bind 9.2.2 (from sunfreeware).

	9.2.2 is old.  9.2.5 is the current version for the 9.2.x tree, 
and 9.3.1 is the current version for the 9.3.x tree.  I would 
recommend upgrading to either 9.2.5 or 9.3.1 before going any further.

>                                                        It is a recursive, =
>  caching nameserver with no authoritative zones and there are no major =
>  services running other than Bind.  Up until last week, I was running the =
>  server with a limit of 3000 recursive clients with no trouble.  As of this =
>  morning, I've bumped it up to 10,000.  (Last week I identified an abuser =
>  and got it corrected, but I'm back at square one again today.)

	I've never been particularly fond of trying to place arbitrary 
restrictions on the BIND nameserver such as limiting the number of 
clients, limiting the amount of memory that can be used, etc.... 
IMO, BIND should be allowed to use as much resources as it can get, 
and the other issues will resolve themselves one way or the other -- 
clients won't get responses so they'll go somewhere else, or whatever.

>  I would like to use the allow-recursion and allow-query statements to =
>  limit access, but there's a strong probability that we have customers =
>  using our DNS servers that aren't actually on our network (please don't =
>  ask...) and I don't want to break them if I can help it.

	Every single person I know of that has said this kind of thing 
and then gone on to place appropriate network restrictions on who 
can/can't use their server, has come back to me with incredible tales 
of the abuse of their server that was going on without their 
knowledge.

	My suggestion is to use the allow-query restrictions to limit 
things to just your known customers in your known network, and then 
if you have other paying customers somewhere else, you can then open 
things up to include their IP addresses as well.  But take the most 
restrictive policy first, and only open as absolutely necessary.

	If a server is public recursive/caching there are all sorts of 
nasty abuse that spammers can put your servers to, and they can 
poison your caches to make it easier to break into any client who 
uses your nameservers, or to get their spam through to any client who 
uses your nameservers, etc....


	Trust me, you really don't want to be the nine-year-old boy who 
bends over naked in front of a rioting group of criminals from a 
maximum security prison, screaming "rape me".  Right now, that's 
about the equivalent of what you're doing.

	At the very least, you should pull your pants on and get as far 
away from that facility as possible.  Doing so won't guarantee that 
someone else won't come along and rape you anyway, but at the very 
least you make a conscious effort to reduce the probability of that 
happening.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list