Bind, DNS, and Denial of Service
John Von Essen
john at quonix.net
Wed Dec 3 00:26:29 UTC 2014
I figure this might be the best place to start this discussion.
I've been using FreeBSD for ages for some core systems, one of those being
Auth and public caching DNS.
Lately I've been getting hit hard by reflective DDoS on DNS, so my old
systems need some updating.
Question is, what's the best/simplest solution moving forward? FreeBSD 9.3
or 10.1? Do I continue to use BIND with the rate-limiting feature, or go
with something else?
I will say, I tried to get a FreeBSD 10.1 instance running with BIND 10 - no
luck, so I did BIND 9.9 with the RRL feature. It sort of worked, but was
weird. I was getting a ton of weird responses on the server the moment I
turned BIND on.
Its been so long since I've worked on this stuff, my old 8.X machines have
been running for years.
I am open to using something else for the caching, but for the Auth I really
want to stay with Bind. Its just really hard to implement BIND with RRL on
newer freebsd distro's, I get the feeling that the FreeBSD folks want to
move on from BIND.
Any help would be appreciated.
-John
More information about the freebsd-hackers
mailing list