Date: Tue, 2 Dec 2014 21:25:30 -0500 From: "John Von Essen" <john@quonix.net> To: <freebsd-hackers@freebsd.org> Subject: RE: Bind, DNS, and Denial of Service Message-ID: <004e01d00ea0$6b7c7860$42756920$@quonix.net> In-Reply-To: <381c25e1046453b9f7a5c94809e7d7fb@ultimatedns.net> References: <002e01d00e8c$1b7d6f40$52784dc0$@quonix.net> <381c25e1046453b9f7a5c94809e7d7fb@ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks... Right now I have a FreeBSD 9.3 system, after a clean install I = went in and built Bind99 from ports with the RRL option. Question is how do I force /etc/rc.d/named to use the new bind9.9 that I = built from ports and now resides in /usr/local/sbin? Do I just edit /etc/defaults/rc.conf and tell it to use = /usr/local/sbin/named instead of /usr/sbin/named? I thought there might be a cleaner way to do this, just curious. -John -----Original Message----- From: Chris H [mailto:bsd-lists@bsdforge.com]=20 Sent: Tuesday, December 02, 2014 9:18 PM To: freebsd-hackers@freebsd.org; John Von Essen Subject: Re: Bind, DNS, and Denial of Service On Tue, 2 Dec 2014 19:00:06 -0500 "John Von Essen" <john@quonix.net> = wrote > I figure this might be the best place to start this discussion. >=20 > =20 >=20 > I've been using FreeBSD for ages for some core systems, one of those=20 > being Auth and public caching DNS. >=20 > =20 >=20 > Lately I've been getting hit hard by reflective DDoS on DNS, so my old = > systems need some updating. >=20 > =20 >=20 > Question is, what's the best/simplest solution moving forward? FreeBSD = > 9.3 or 10.1? Do I continue to use BIND with the rate-limiting feature, = > or go with something else? >=20 > =20 >=20 > I will say, I tried to get a FreeBSD 10.1 instance running with BIND=20 > 10 - no luck, so I did BIND 9.9 with the RRL feature. It sort of=20 > worked, but was weird. I was getting a ton of weird responses on the=20 > server the moment I turned BIND on. >=20 > =20 >=20 > Its been so long since I've worked on this stuff, my old 8.X machines=20 > have been running for years. >=20 > =20 >=20 > I am open to using something else for the caching, but for the Auth I=20 > really want to stay with Bind. Its just really hard to implement BIND=20 > with RRL on newer freebsd distro's, I get the feeling that the FreeBSD = > folks want to move on from BIND. >=20 > =20 >=20 > Any help would be appreciated. Hello, John. FWIW You might find dns/nsd a good fit. It's even possible to get it to = output "Bind like" log messages. I've replaced the Bind on all, but one = of our servers with it. In an effort to evaluate it for being a = replacement. I'm finding it difficult to keep the last server still = running the Bind going. So I'll probably have to replace it with something soon. Just haven't = *yet* determined *what* other DNS to evaluate. I only ran into one issue = with it (NSD). It was NSD itself, and the reaction time is extremely = good (less than a week), and a new (fixed) version was out. Anyway. Just thought I'd share my experience. In case it helps. --Chris >=20 > =20 >=20 > -John >=20 > =20 >=20 > =20 >=20 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to = "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004e01d00ea0$6b7c7860$42756920$>