iptables and bind

Igor V. Ruzanov igorr at canmos.ru
Wed Aug 20 07:22:47 UTC 2008 

As an example, you can try to shape DNS-traffic by means of Traffic 
Control utility (don't forget only to prepare your kernel for tc and 
netfilter support) in agreggation with iptables for classifying of 
incoming packets related to DNS queries.

+-------------------------------------------+
! CANMOS ISP Network                        !
+-------------------------------------------+
! Best regards                              !
! Igor V. Ruzanov, network operational staff!
! e-Mail: igorr at canmos.ru                   !
+-------------------------------------------+

On Tue, 19 Aug 2008, Steven Stromer wrote:

> I want to rate limit queries to mitigate threat of Polyakov-styled
> attack, but I can't find anything on iptables rate limiting based on
> bits, bytes, or Mb / time (as opposed to packets/time). I looked
> through the standard iptables extensions, and through the patch-o-
> matic offerings, and can't find the right tool. Assuming that the
> size of any single UDP packet in a query can change, up to the limit
> where it is refused in exchange for a tcp packet, I can't even see
> how the correct packets/time could be accurately inferred. Any
> recommendations?
>
> (NOTE: Tried posting to netfilter list before posting here, but
> haven't gotten a response, and want to address this ASAP, so any
> expertise would be appreciated...)
>
> Thanks!
> Steven Stromer
>
>
> On Aug 12, 2008, at 11:15 AM, Chris Buxton wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Don't forget the Polyakov attack. Rate-limit your inbound traffic as
>> per Paul Vixie's recommendation (no more than 10 Mbit/s of inbound DNS
>> traffic), if necessary, using a firewall on your DNS server, or
>> possibly using an external DNS server.
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice
>>
>> On Aug 12, 2008, at 7:08 AM, Paul A wrote:
>>
>>> Thanks Kevin, didn't know if doing random with iptables was going to
>>> make it
>>> harder to guess instead of just using the new bind with port
>>> randomization.
>>>
>>> So at this point I'm assuming that aside from using secure zones,
>>> using the
>>> new bind is all that can be done?
>>>
>>> paul
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>>
>> iEYEARECAAYFAkihqREACgkQ0p/8Jp6Boi09uwCfem+soAjGYEy4abH2y6RxggMq
>> XX0AoKSru0q+ESnrptnQU+ClwRMuFGQC
>> =s6ZQ
>> -----END PGP SIGNATURE-----
>>
>>
>
>
>

More information about the bind-users mailing list