Linux: May 2013 Archives

Response Rate Limiting in the Domain Name System (DNS RRL)
BIND9 RRL and RPZ Patches
這個 Response Rate Limiting 還沒有正式進官方版本, 需 Patch, 只支援 BIND9
tar zxf bind-9.9.2-P2.tar.gz
cd bind-9.9.2-P2
patch -p0 -i rpz2+rl-9.9.2-P2.patch
make install
named -v 應該要看到 BIND 9.9.2-rpz2+rl.131.14-P2
重啟 named, 若看到 unknown option 'rate-limit' 表示 Patch 可能沒成功, 或者執行到舊的 named

rate-limit 參數說明
若要設例外 IP 區段, 可以用 exempt-clients 參數, 不受 rate-limit 限制
DNS Response Rate Limiting (DNS RRL) Draft1

若您的 DNS Server 只管自家 Domain, 沒有提供服務, 最好把 recursion 查詢關閉
allow-recursion {"none";};
recursion no;

若您的 DNS Server 有提供服務, recursion 也不要全開, 只開必要網段,
訂一個 acl "mynetwork", 把開放 recursion 查詢的網段加入
allow-recursion { mynetwork; };

以上做完, DNS Server 就有基本防護 DNS Amplification Attack 的能力
若 Query rate 超出設定值, 會被擋下, Client 端會出現以下的錯誤
;; Truncated, retrying in TCP mode.
;; connection timed out; no servers could be reached

Server 端的 dns-queries.log 會有 drop NODATA response 的訊息

2014-01-28 Update:
9.9.4 Patch 加入 --enable-rrl 參數, 需 ./configure --enable-rrl 才會啟動 rate-limit 功能
tar zxf bind-9.9.4.tar.gz
cd bind-9.9.4
patch -p0 -i rpz2+rl-9.9.4.patch
./configure --enable-rrl
make install

2014-05-02 Update:
9.9.5 Patch
tar zxf bind-9.9.5.tar.gz
cd bind-9.9.5
patch -p0 -i rpz2+rl-9.9.5.patch
./configure --enable-rrl
make install

2014-10-15 Update:
BIND 9.10 以後的版本已經支援 RRL (Response Rate Limiting), 不用 Patch 了!

About this Archive

This page is an archive of entries in the Linux category from May 2013.

Linux: November 2012 is the previous archive.

Linux: June 2013 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Linux: Monthly Archives

Monthly Archives