Mitigation of server's load by queries for non-existing domains

MURTARI, JOHN jm5903 at att.com
Wed Jan 13 14:12:56 UTC 2016 

Tony,
	Didn't see this mentioned in the other thread messages, but depending on what version of BIND you are using you may find a lot of benefit in using the Response Rate Limiting (RRL) feature. https://www.isc.org/blogs/bind-9-9-4-released/

	We have found it to be VERY effective in reducing a lot of these nuisance attacks.
	Best regards!

John Murtari

On 12.01.2016 18:16, Tony Finch wrote:
> Tomas Hozza <thozza at redhat.com> wrote:
>>
>> Recently I was trying to find a mechanism in BIND that could prevent the
>> server from processing a recursive query for non-existing domains.
> 
> Have a look at https://www.isc.org/blogs/tldr-resolver-ddos-mitigation/
> 
>> I was thinking about using RPZ with QNAME policy trigger, but this
>> applies only to the responses to queries and still makes the server to
>> try to resolve it.
> 
> RPZ has a "qname-wait-recurse no" option.

This is exactly the thing I was looking for.

Thank you very much!

Tomas

> Tony.
> 


------------------------------

Message: 8
Date: Wed, 13 Jan 2016 14:45:41 +0100 (CET)
From: sthaug at nethelp.no
To: h.reindl at thelounge.net
Cc: bind-users at lists.isc.org
Subject: Re: Bind9 on VMWare
Message-ID: <20160113.144541.41671315.sthaug at nethelp.no>
Content-Type: Text/Plain; charset=us-ascii

> > Complexity?
> 
> which complexity?
> 
> a virtual guest is less complex because you don't need a ton of daemons 
> for hardware-monitoring, drivers and what not on the guest

For me the relevant comparison is my ordinary OS vs. my ordinary OS +
VMWare.

> complex are 30 phyiscal servers instead two fat nodes running a 
> virtualization cluster with one powerful shared storage

Ayup, lots of eggs in one basket.

I absolutely believe virtualization has its place. I also believe that
"everywhere" is not that place.

bind-users is probably not the right forum to discuss virtualization,
so I'll just leave the discussion at that for my part.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


------------------------------

Message: 9
Date: Wed, 13 Jan 2016 15:02:47 +0100
From: "Philippe Maechler" <pmaechler-ml at glattnet.ch>
To: <bind-users at lists.isc.org>
Subject: RE: Bind9 on VMWare
Message-ID: <008501d14e0b$1503ea80$3f0bbf80$@glattnet.ch>


>> I'm not sure if it is a good thing to have physical serves, although we
have
>> a vmware cluster in both nodes which has enough capacity (ram, cpu,
disk)?
>> I once read that the vmware boxes have a performance issue with heavy udp
>> based services. Did anyone of you face such an issue? Are your dns
servers
>> all running on physical or virtual boxes?
>
> where did you read that?

I don't remember where I read that. I guess it was on a mailing list where
the OP had issues with either a DHCP or syslog server. It all came down to
the vmware host/switch which was not good enough for udp services. Could be
that this was on Vmware 4.x and got better on 5.x.

But as I said, I can't recall exactly where that was





------------------------------

_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 2286, Issue 2
*******************************************

More information about the bind-users mailing list