Date: Tue, 02 Dec 2014 18:18:06 -0800 From: "Chris H" <bsd-lists@bsdforge.com> To: <freebsd-hackers@freebsd.org>, "John Von Essen" <john@quonix.net> Subject: Re: Bind, DNS, and Denial of Service Message-ID: <381c25e1046453b9f7a5c94809e7d7fb@ultimatedns.net> In-Reply-To: <002e01d00e8c$1b7d6f40$52784dc0$@quonix.net> References: <002e01d00e8c$1b7d6f40$52784dc0$@quonix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Dec 2014 19:00:06 -0500 "John Von Essen" <john@quonix.net> wrote > I figure this might be the best place to start this discussion. > > > > I've been using FreeBSD for ages for some core systems, one of those being > Auth and public caching DNS. > > > > Lately I've been getting hit hard by reflective DDoS on DNS, so my old > systems need some updating. > > > > Question is, what's the best/simplest solution moving forward? FreeBSD 9.3 > or 10.1? Do I continue to use BIND with the rate-limiting feature, or go > with something else? > > > > I will say, I tried to get a FreeBSD 10.1 instance running with BIND 10 - no > luck, so I did BIND 9.9 with the RRL feature. It sort of worked, but was > weird. I was getting a ton of weird responses on the server the moment I > turned BIND on. > > > > Its been so long since I've worked on this stuff, my old 8.X machines have > been running for years. > > > > I am open to using something else for the caching, but for the Auth I really > want to stay with Bind. Its just really hard to implement BIND with RRL on > newer freebsd distro's, I get the feeling that the FreeBSD folks want to > move on from BIND. > > > > Any help would be appreciated. Hello, John. FWIW You might find dns/nsd a good fit. It's even possible to get it to output "Bind like" log messages. I've replaced the Bind on all, but one of our servers with it. In an effort to evaluate it for being a replacement. I'm finding it difficult to keep the last server still running the Bind going. So I'll probably have to replace it with something soon. Just haven't *yet* determined *what* other DNS to evaluate. I only ran into one issue with it (NSD). It was NSD itself, and the reaction time is extremely good (less than a week), and a new (fixed) version was out. Anyway. Just thought I'd share my experience. In case it helps. --Chris > > > > -John > > > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?381c25e1046453b9f7a5c94809e7d7fb>