protect DNS servers from dns amplification attacks
Hi there, I need to set up a DNS server which is accessible from the whole internet. I have not chosen a DNS software yet, so maybe we could discuss about some, e.g. bind, dnsmasq, ... My biggest concerns are dns amplification attacks, I don't want my server to be part of this. Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests? Best regards, Michael
Hi, The best topology is DNS behind load balancers, doing all requirements of securing through VIP (virtual IP), let me know scenarios you are using, that is, public with DSL users, Wi-Fi, mobile or 3-g to give you more precise tips. Don't forget to enable monitoring of DNS machines with NAGIOS or cacti. Best regards On Sunday, August 4, 2013, Michael Hock wrote:
Hi there,
I need to set up a DNS server which is accessible from the whole internet. I have not chosen a DNS software yet, so maybe we could discuss about some, e.g. bind, dnsmasq, ...
My biggest concerns are dns amplification attacks, I don't want my server to be part of this. Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests?
Best regards, Michael
-- IMTIAZ AHMED *T.E.D.S.* (Private) Limited. 273-B, St.55, F-11/4, Islamabad-44000. T: +92 512 211 700 , M: +92 334 516 76 09 E: ceo@teds.pk <info@teds.pk>
Hello, I'm using dns package from Sun with Solaris 11 in a zone. With this, I'm confident to get the security updates in due time. Sun used to say "we are the dot in the .com" If you need more détails, you can write me. Br Vincent Envoyé de mon mobile Le 4 août 2013 à 14:15, Imtiaz Ahmad <ceo@teds.pk> a écrit :
Hi,
The best topology is DNS behind load balancers, doing all requirements of securing through VIP (virtual IP), let me know scenarios you are using, that is, public with DSL users, Wi-Fi, mobile or 3-g to give you more precise tips. Don't forget to enable monitoring of DNS machines with NAGIOS or cacti.
Best regards
On Sunday, August 4, 2013, Michael Hock wrote:
Hi there,
I need to set up a DNS server which is accessible from the whole internet. I have not chosen a DNS software yet, so maybe we could discuss about some, e.g. bind, dnsmasq, ...
My biggest concerns are dns amplification attacks, I don't want my server to be part of this. Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests?
Best regards, Michael
-- IMTIAZ AHMED T.E.D.S. (Private) Limited. 273-B, St.55, F-11/4, Islamabad-44000. T: +92 512 211 700 , M: +92 334 516 76 09 E: ceo@teds.pk
Michael Hock <hook1988@gmail.com> wrote:
Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests?
See http://www.redbarn.org/dns/ratelimits Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
Just bumped into this one while going through my feeds: http://www.isc.org/blogs/isc-adds-ddos-defense-module-to-bind-software/ Br, Tolli -----Original Message----- From: dns-wg-bounces@ripe.net [mailto:dns-wg-bounces@ripe.net] On Behalf Of Tony Finch Sent: 5. August 2013 11:40 To: Michael Hock Cc: dns-wg@ripe.net Subject: Re: [dns-wg] protect DNS servers from dns amplification attacks Michael Hock <hook1988@gmail.com> wrote:
Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests?
See http://www.redbarn.org/dns/ratelimits Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
Þórhallur Hálfdánarson <thorhallur.halfdanarson@advania.is> wrote:
Just bumped into this one while going through my feeds: http://www.isc.org/blogs/isc-adds-ddos-defense-module-to-bind-software/
With current versions of bind you need to apply the patches to get RRL. When bind-9.9.4 is released you will be able to enable RRL at compile time. (There is a 9.9.4 release candidate out now.) In bind-9.10 RRL will be a standard feature. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
Subject: [dns-wg] protect DNS servers from dns amplification attacks Date: Sun, Aug 04, 2013 at 01:48:47PM +0200 Quoting Michael Hock (hook1988@gmail.com):
Hi there,
I need to set up a DNS server which is accessible from the whole internet. I have not chosen a DNS software yet, so maybe we could discuss about some, e.g. bind, dnsmasq, ...
My biggest concerns are dns amplification attacks, I don't want my server to be part of this. Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests?
Is it a resolver or a name server? A resolver open to the Internet probably is the wrong thing to do. Frankly, if you need to ask the questions above you likely haven't thought through your problem enough before coming to the conclusion that an open resolver is a desirable thing. For name servers, OTOH, the situation is different. Tony Finch pointed at Redbarn patches. They work for me. NSD does rate limiting as of recent releases. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 What I need is a MATURE RELATIONSHIP with a FLOPPY DISK ...
participants (6)
-
Imtiaz Ahmad -
Michael Hock -
Måns Nilsson -
Tony Finch -
Vincent Piocel -
Þórhallur Hálfdánarson