BIND9 Response Rate Limiting

Vote 0 Votes

Response Rate Limiting in the Domain Name System (DNS RRL)
BIND9 RRL and RPZ Patches
這個 Response Rate Limiting 還沒有正式進官方版本, 需 Patch, 只支援 BIND9
tar zxf bind-9.9.2-P2.tar.gz
cd bind-9.9.2-P2
patch -p0 -i rpz2+rl-9.9.2-P2.patch
make install
named -v 應該要看到 BIND 9.9.2-rpz2+rl.131.14-P2
重啟 named, 若看到 unknown option 'rate-limit' 表示 Patch 可能沒成功, 或者執行到舊的 named

rate-limit 參數說明
若要設例外 IP 區段, 可以用 exempt-clients 參數, 不受 rate-limit 限制
DNS Response Rate Limiting (DNS RRL) Draft1

若您的 DNS Server 只管自家 Domain, 沒有提供服務, 最好把 recursion 查詢關閉
allow-recursion {"none";};
recursion no;

若您的 DNS Server 有提供服務, recursion 也不要全開, 只開必要網段,
訂一個 acl "mynetwork", 把開放 recursion 查詢的網段加入
allow-recursion { mynetwork; };

以上做完, DNS Server 就有基本防護 DNS Amplification Attack 的能力
若 Query rate 超出設定值, 會被擋下, Client 端會出現以下的錯誤
;; Truncated, retrying in TCP mode.
;; connection timed out; no servers could be reached

Server 端的 dns-queries.log 會有 drop NODATA response 的訊息

2014-01-28 Update:
9.9.4 Patch 加入 --enable-rrl 參數, 需 ./configure --enable-rrl 才會啟動 rate-limit 功能
tar zxf bind-9.9.4.tar.gz
cd bind-9.9.4
patch -p0 -i rpz2+rl-9.9.4.patch
./configure --enable-rrl
make install

2014-05-02 Update:
9.9.5 Patch
tar zxf bind-9.9.5.tar.gz
cd bind-9.9.5
patch -p0 -i rpz2+rl-9.9.5.patch
./configure --enable-rrl
make install

2014-10-15 Update:
BIND 9.10 以後的版本已經支援 RRL (Response Rate Limiting), 不用 Patch 了!

About this Entry

This page contains a single entry by Pank published on May 24, 2013 5:27 AM.

DNS Amplification Attack was the previous entry in this blog.

FreeBSD VM images is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives