bind9 has no rate limit option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Precise |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Bind9 is vulnerable to being used as a DDOS even when recursion is turned off.
Ref: http://
Can the Ubuntu team (or whomever is responsible for the bind9 package) please integrate this into a new package for the LTS?
I've looked at the changelogs for 12.04 on bind9 package & can't see that it was added. I've also tried adding the rate limit directive & I get "uknown option rate-limit" and bind9 fails to start.
As of this update, I have the latest bind9 package installed ( 1:9.8.1.
One recommended fix is here:
http://
If this is not elgible for an LTS, can we please add it to 12.10 or 13.04?
Thank you,
Robert
information type: | Private Security → Public Security |
Changed in bind9 (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Indeed, this looks useful.
However, performing the rate limiting in the kernel using firewall rules can be more efficient and not require any BIND patches.
There are three mechanisms I can think of for performing this rate limiting today, without waiting for updates:
- Insert iptables hashlimit rules. Here is one suggested rule: htable- size 8192 --hashlimit- htable- max 32768 -j drop_log_dns_abuse mailman. powerdns. com/pipermail/ pdns-users/ 2012-September/ 009235. html )
-p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \
--hashlimit-
(The rule was suggested by joerg jungermann in another context at http://
- Use phreld to dynamically insert DROP rules for hosts that bypass limits: http:// www.digitalgene sis.com/ software/ phrel/manual/ phreld. html (Sadly, not packaged for Ubuntu.) I know this option is preferred by some commercial DNS hosts.
- Use ufw limit to add some quick limits. Since this is intended first and foremost to prevent OpenSSH brute-force connection attempts, the default limits may be too low for applying to DNS. This might still be appropriate for very small installations, however. Your mileage my vary.
I hope this helps. Thanks.