From hook1988 at gmail.com Sun Aug 4 13:48:47 2013 From: hook1988 at gmail.com (Michael Hock) Date: Sun, 4 Aug 2013 13:48:47 +0200 Subject: [dns-wg] protect DNS servers from dns amplification attacks Message-ID: Hi there, I need to set up a DNS server which is accessible from the whole internet. I have not chosen a DNS software yet, so maybe we could discuss about some, e.g. bind, dnsmasq, ... My biggest concerns are dns amplification attacks, I don't want my server to be part of this. Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests? Best regards, Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From ceo at teds.pk Sun Aug 4 14:15:01 2013 From: ceo at teds.pk (Imtiaz Ahmad) Date: Sun, 4 Aug 2013 17:15:01 +0500 Subject: [dns-wg] protect DNS servers from dns amplification attacks In-Reply-To: References: Message-ID: Hi, The best topology is DNS behind load balancers, doing all requirements of securing through VIP (virtual IP), let me know scenarios you are using, that is, public with DSL users, Wi-Fi, mobile or 3-g to give you more precise tips. Don't forget to enable monitoring of DNS machines with NAGIOS or cacti. Best regards On Sunday, August 4, 2013, Michael Hock wrote: > Hi there, > > I need to set up a DNS server which is accessible from the whole internet. > I have not chosen a DNS software yet, so maybe we could discuss about some, > e.g. bind, dnsmasq, ... > > My biggest concerns are dns amplification attacks, I don't want my server > to be part of this. > Is it already possible to protect DNS servers from spoofing attacks? Maybe > just by rate-limiting the requests, without breaking legit requests? > > Best regards, > Michael > -- IMTIAZ AHMED *T.E.D.S.* (Private) Limited. 273-B, St.55, F-11/4, Islamabad-44000. T: +92 512 211 700 , M: +92 334 516 76 09 E: ceo at teds.pk -------------- next part -------------- An HTML attachment was scrubbed... URL: From vpiocel at yahoo.com Sun Aug 4 14:34:41 2013 From: vpiocel at yahoo.com (Vincent Piocel) Date: Sun, 4 Aug 2013 14:34:41 +0200 Subject: [dns-wg] protect DNS servers from dns amplification attacks In-Reply-To: References: Message-ID: <45489B03-207E-48D9-99BE-41E10D5229A4@yahoo.com> Hello, I'm using dns package from Sun with Solaris 11 in a zone. With this, I'm confident to get the security updates in due time. Sun used to say "we are the dot in the .com" If you need more d?tails, you can write me. Br Vincent Envoy? de mon mobile Le 4 ao?t 2013 ? 14:15, Imtiaz Ahmad a ?crit : > Hi, > > The best topology is DNS behind load balancers, doing all requirements of securing through VIP (virtual IP), let me know scenarios you are using, that is, public with DSL users, Wi-Fi, mobile or 3-g to give you more precise tips. Don't forget to enable monitoring of DNS machines with NAGIOS or cacti. > > Best regards > > On Sunday, August 4, 2013, Michael Hock wrote: >> Hi there, >> >> I need to set up a DNS server which is accessible from the whole internet. I have not chosen a DNS software yet, so maybe we could discuss about some, e.g. bind, dnsmasq, ... >> >> My biggest concerns are dns amplification attacks, I don't want my server to be part of this. >> Is it already possible to protect DNS servers from spoofing attacks? Maybe just by rate-limiting the requests, without breaking legit requests? >> >> Best regards, >> Michael > > > -- > IMTIAZ AHMED > T.E.D.S. (Private) Limited. > 273-B, St.55, F-11/4, Islamabad-44000. > T: +92 512 211 700 , M: +92 334 516 76 09 E: ceo at teds.pk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dot at dotat.at Mon Aug 5 13:40:03 2013 From: dot at dotat.at (Tony Finch) Date: Mon, 5 Aug 2013 12:40:03 +0100 Subject: [dns-wg] protect DNS servers from dns amplification attacks In-Reply-To: References: Message-ID: Michael Hock wrote: > Is it already possible to protect DNS servers from spoofing attacks? Maybe > just by rate-limiting the requests, without breaking legit requests? See http://www.redbarn.org/dns/ratelimits Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From mansaxel at besserwisser.org Wed Aug 7 12:49:48 2013 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 7 Aug 2013 12:49:48 +0200 Subject: [dns-wg] protect DNS servers from dns amplification attacks In-Reply-To: References: Message-ID: <20130807104948.GA18907@besserwisser.org> Subject: [dns-wg] protect DNS servers from dns amplification attacks Date: Sun, Aug 04, 2013 at 01:48:47PM +0200 Quoting Michael Hock (hook1988 at gmail.com): > Hi there, > > I need to set up a DNS server which is accessible from the whole internet. > I have not chosen a DNS software yet, so maybe we could discuss about some, > e.g. bind, dnsmasq, ... > > My biggest concerns are dns amplification attacks, I don't want my server > to be part of this. > Is it already possible to protect DNS servers from spoofing attacks? Maybe > just by rate-limiting the requests, without breaking legit requests? Is it a resolver or a name server? A resolver open to the Internet probably is the wrong thing to do. Frankly, if you need to ask the questions above you likely haven't thought through your problem enough before coming to the conclusion that an open resolver is a desirable thing. For name servers, OTOH, the situation is different. Tony Finch pointed at Redbarn patches. They work for me. NSD does rate limiting as of recent releases. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 What I need is a MATURE RELATIONSHIP with a FLOPPY DISK ... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From dot at dotat.at Wed Aug 7 14:55:18 2013 From: dot at dotat.at (Tony Finch) Date: Wed, 7 Aug 2013 13:55:18 +0100 Subject: [dns-wg] protect DNS servers from dns amplification attacks In-Reply-To: <2E246831A72BF241B16CE16B9BC4BA9E8EE15EDD@Skyrr-ExchMb1.skyrr.local> References: <2E246831A72BF241B16CE16B9BC4BA9E8EE15EDD@Skyrr-ExchMb1.skyrr.local> Message-ID: ??rhallur H?lfd?narson wrote: > Just bumped into this one while going through my feeds: > http://www.isc.org/blogs/isc-adds-ddos-defense-module-to-bind-software/ With current versions of bind you need to apply the patches to get RRL. When bind-9.9.4 is released you will be able to enable RRL at compile time. (There is a 9.9.4 release candidate out now.) In bind-9.10 RRL will be a standard feature. Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From thorhallur.halfdanarson at advania.is Wed Aug 7 14:51:53 2013 From: thorhallur.halfdanarson at advania.is (=?iso-8859-1?Q?=DE=F3rhallur_H=E1lfd=E1narson?=) Date: Wed, 7 Aug 2013 12:51:53 +0000 Subject: [dns-wg] protect DNS servers from dns amplification attacks In-Reply-To: References: Message-ID: <2E246831A72BF241B16CE16B9BC4BA9E8EE15EDD@Skyrr-ExchMb1.skyrr.local> Just bumped into this one while going through my feeds: http://www.isc.org/blogs/isc-adds-ddos-defense-module-to-bind-software/ Br, Tolli -----Original Message----- From: dns-wg-bounces at ripe.net [mailto:dns-wg-bounces at ripe.net] On Behalf Of Tony Finch Sent: 5. August 2013 11:40 To: Michael Hock Cc: dns-wg at ripe.net Subject: Re: [dns-wg] protect DNS servers from dns amplification attacks Michael Hock wrote: > Is it already possible to protect DNS servers from spoofing attacks? Maybe > just by rate-limiting the requests, without breaking legit requests? See http://www.redbarn.org/dns/ratelimits Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From jim at rfc1035.com Wed Aug 21 14:58:49 2013 From: jim at rfc1035.com (Jim Reid) Date: Wed, 21 Aug 2013 13:58:49 +0100 Subject: [dns-wg] agenda topics for RIPE67 Message-ID: <18277FEA-C110-49A2-ACCF-0EF629B7466C@rfc1035.com> Colleagues, the next RIPE meeting is just under two months away. If you have suggestions for discussion topics and/or presentations for the WG, please send them to dns-wg-chair at ripe.net. Thanks. From benno at NLnetLabs.nl Mon Aug 26 14:09:42 2013 From: benno at NLnetLabs.nl (Benno Overeinder) Date: Mon, 26 Aug 2013 14:09:42 +0200 Subject: [dns-wg] RIPE 67 CFP extended deadline 9 September 2013 Message-ID: <521B4586.5030109@NLnetLabs.nl> Dear Colleagues, A list of currently accepted RIPE 67 Plenary talks, BoFs, Tutorials and Workshops is now published at: https://ripe67.ripe.net/programme/meeting-plan/draft-programme/ There are still few slots remaining for a final RIPE 67 programme and RIPE Programme Committee will accept new proposals until *9 September 2013*. This is our last call for you to submit your proposals. See https://ripe67.ripe.net/programme/cfp/ or find the original CFP below. Kind regards Filiz Yilmaz for RIPE Programme Committee ------------------ Call for Presentations A RIPE Meeting is an open event where Internet Service Providers, network operators and other interested parties get together. Although the meeting is mostly technical, it is also a chance for people to meet and network with others in their field. RIPE 67 will take place from 14-18 October 2013 in Athens, Greece. The RIPE Programme Committee (PC) is now seeking content proposals from the RIPE community for the plenary session presentations, BoFs (Birds of a Feather sessions), panels, workshops, tutorials and lightning talks at RIPE 67. The PC is looking for presentations covering topics of network engineering and operations, including but not limited to: * IPv6 deployment * Managing IPv4 scarcity in operations * Commercial transactions of IPv4 addresses * Data centre technologies * Network and DNS operations * Internet governance and regulatory practices * Network and routing security * Content delivery * Internet peering and mobile data exchange Submissions RIPE Meeting attendees are quite sensitive to keeping presentations non-commercial, and product marketing talks are strongly discouraged. Repeated audience feedback shows that the most successful talks focus on operational experience, research results, or case studies. For example, presenters wishing to describe a commercial solution should focus on the underlying technology and not attempt a product demonstration. The RIPE PC accepts proposals for different presentation formats, including plenary session presentations, tutorials, workshops, BoFs (Birds of a Feather sessions) and lightning talks. See the full descriptions of these formats at https://ripe67.ripe.net/programme/i-want-to-present/presentation-formats/ Presenters who are proposing a panel or BoF are encouraged to include speakers from several (perhaps even competing) companies and/or a neutral facilitator. In addition to presentations selected in advance for the plenary, the RIPE PC also offers several time slots for "lightning talks", which are selected immediately before or during the conference. The following general requirements apply: * Proposals for plenary session presentations, BoFs, panels, workshops and tutorials must be submitted for full consideration no later than 4 August 2013, using the meeting submission system (https://ripe67.ripe.net/submit-topic/). Proposals submitted after this date will be considered on a space-available basis. * Lightning talks should also be submitted using the meeting submission system (https://ripe67.ripe.net/submit-topic/) and can be submitted just days before the RIPE Meeting starts or even during the meeting week. The allocation of lightning talk slots will be announced in short notice - in some cases on the same day but often one day prior to the relevant session. * Presenters should indicate how much time they will require. See more information on time slot allocations per presentation format (https://ripe67.ripe.net/programme/i-want-to-present/presentation-formats/) * Proposals for talks will only be considered by the PC if they contain at least draft presentation slides (slides may be updated later on). For panels, proposals must contain a clear description, as well as the names of invited panelists, presenters and moderators. * Due to potential technical issues, it is expected that most, if not all, presenters/panelists will be physically present at the RIPE Meeting. If you have any questions or requests concerning content submissions, please email pc [at] ripe [dot] net. -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/ From mir at ripe.net Wed Aug 28 09:38:51 2013 From: mir at ripe.net (Mirjam Kuehne) Date: Wed, 28 Aug 2013 09:38:51 +0200 Subject: [dns-wg] New on RIPE Labs: A Question of DNS Protocols (by Geoff Huston) Message-ID: <521DA90B.3080702@ripe.net> Dear colleagues, Please find a new article by Geoff Huston on RIPE Labs: A Question of DNS Protocols: https://labs.ripe.net/Members/gih/a-question-of-dns-protocols Kind regards, Mirjam Kuehne RIPE NCC