From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 3 02:40:22 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8E99DA78 for ; Wed, 3 Dec 2014 02:40:22 +0000 (UTC) Received: from a.smtp.quonix.net (a.smtp.quonix.net [208.82.128.205]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3907BB79 for ; Wed, 3 Dec 2014 02:40:21 +0000 (UTC) Received: from CORSAIR (pool-108-2-133-139.phlapa.fios.verizon.net [108.2.133.139]) by a.smtp.quonix.net (8.14.4/8.14.4) with ESMTP id sB32PwcR017801 for ; Tue, 2 Dec 2014 21:25:58 -0500 (EST) (envelope-from john@quonix.net) From: "John Von Essen" To: References: <002e01d00e8c$1b7d6f40$52784dc0$@quonix.net> <381c25e1046453b9f7a5c94809e7d7fb@ultimatedns.net> In-Reply-To: <381c25e1046453b9f7a5c94809e7d7fb@ultimatedns.net> Subject: RE: Bind, DNS, and Denial of Service Date: Tue, 2 Dec 2014 21:25:30 -0500 Message-ID: <004e01d00ea0$6b7c7860$42756920$@quonix.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Content-Language: en-us Thread-Index: AQIiVaX5sQQmCKXYgP76APFhH9lhjgE5aAZTm87JC9A= X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2014 02:40:22 -0000 Thanks... Right now I have a FreeBSD 9.3 system, after a clean install I = went in and built Bind99 from ports with the RRL option. Question is how do I force /etc/rc.d/named to use the new bind9.9 that I = built from ports and now resides in /usr/local/sbin? Do I just edit /etc/defaults/rc.conf and tell it to use = /usr/local/sbin/named instead of /usr/sbin/named? I thought there might be a cleaner way to do this, just curious. -John -----Original Message----- From: Chris H [mailto:bsd-lists@bsdforge.com]=20 Sent: Tuesday, December 02, 2014 9:18 PM To: freebsd-hackers@freebsd.org; John Von Essen Subject: Re: Bind, DNS, and Denial of Service On Tue, 2 Dec 2014 19:00:06 -0500 "John Von Essen" = wrote > I figure this might be the best place to start this discussion. >=20 > =20 >=20 > I've been using FreeBSD for ages for some core systems, one of those=20 > being Auth and public caching DNS. >=20 > =20 >=20 > Lately I've been getting hit hard by reflective DDoS on DNS, so my old = > systems need some updating. >=20 > =20 >=20 > Question is, what's the best/simplest solution moving forward? FreeBSD = > 9.3 or 10.1? Do I continue to use BIND with the rate-limiting feature, = > or go with something else? >=20 > =20 >=20 > I will say, I tried to get a FreeBSD 10.1 instance running with BIND=20 > 10 - no luck, so I did BIND 9.9 with the RRL feature. It sort of=20 > worked, but was weird. I was getting a ton of weird responses on the=20 > server the moment I turned BIND on. >=20 > =20 >=20 > Its been so long since I've worked on this stuff, my old 8.X machines=20 > have been running for years. >=20 > =20 >=20 > I am open to using something else for the caching, but for the Auth I=20 > really want to stay with Bind. Its just really hard to implement BIND=20 > with RRL on newer freebsd distro's, I get the feeling that the FreeBSD = > folks want to move on from BIND. >=20 > =20 >=20 > Any help would be appreciated. Hello, John. FWIW You might find dns/nsd a good fit. It's even possible to get it to = output "Bind like" log messages. I've replaced the Bind on all, but one = of our servers with it. In an effort to evaluate it for being a = replacement. I'm finding it difficult to keep the last server still = running the Bind going. So I'll probably have to replace it with something soon. Just haven't = *yet* determined *what* other DNS to evaluate. I only ran into one issue = with it (NSD). It was NSD itself, and the reaction time is extremely = good (less than a week), and a new (fixed) version was out. Anyway. Just thought I'd share my experience. In case it helps. --Chris >=20 > =20 >=20 > -John >=20 > =20 >=20 > =20 >=20 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to = "freebsd-hackers-unsubscribe@freebsd.org"