From maradns at gmail.com Wed Mar 20 03:10:04 2013 From: maradns at gmail.com (Sam Trenholme) Date: Wed, 20 Mar 2013 00:10:04 -0700 Subject: [MaraDNS list] New Deadwood snapshot http://cct2.vk.tj Message-ID: New Deadwood snapshot. Changelog: http://cct2.vk.tj Download: http://maradns.org/deadwood/snap/ - Sam From maradns at gmail.com Wed Mar 20 03:10:41 2013 From: maradns at gmail.com (Sam Trenholme) Date: Wed, 20 Mar 2013 00:10:41 -0700 Subject: [MaraDNS list] MaraDNS and nproc limit problem In-Reply-To: <51289A23.7080102@active24.pl> References: <51157581.2030204@active24.pl> <51289A23.7080102@active24.pl> Message-ID: > Thanks for your answer. You?re welcome. Like I said before, I no longer support MaraDNS 1...any particular reason you are not upgrading to MaraDNS 2? From wayne.kroncke at tiscali.co.uk Wed Mar 20 04:03:10 2013 From: wayne.kroncke at tiscali.co.uk (wayne at tiscali) Date: Wed, 20 Mar 2013 08:03:10 +0000 Subject: [MaraDNS list] New Deadwood snapshot http://cct2.vk.tj In-Reply-To: References: Message-ID: <51496D3E.3040804@tiscali.co.uk> thanks, sam. Best Regards, Wayne Kroncke On 20/03/2013 07:10, Sam Trenholme wrote: > New Deadwood snapshot. Changelog: http://cct2.vk.tj > > Download: http://maradns.org/deadwood/snap/ > > - Sam From maradns at gmail.com Thu Mar 28 11:51:55 2013 From: maradns at gmail.com (Sam Trenholme) Date: Thu, 28 Mar 2013 08:51:55 -0700 Subject: [MaraDNS list] MaraDNS and denial-of-service attacks Message-ID: I will probably make this entry a full blown blog, but in the meantime, in light of the huge (300Gb/S) distributed denial-of-service (DDOS) attack against Spamhaus that used DNS, here are my thoughts: * MaraDNS 1 and Deadwood do not support a technology called ?EDNS? that allows for large DNS packets. By only supporting 512-byte packets, both DNS servers do not allow for the 100x amplification used in this DDOS that other DNS servers have. * My DNS software does not come with unrestricted recursive access enabled by default, and the documentation strongly discourages open recursion. * I will have to double check, but, as I recall, the documentation and example configuration files do not include an example with unrestricted recursive access. One feature that would be nice would be to be able to restrict how much data my DNS server sends to a given IP (again, as noted above, MaraDNS/Deadwood already has a form of this because they do not support EDNS). Unfortunately, since I am not developing new features for MaraDNS like this without being compensated for my time, I would need a corporate or government grant to implement this. - Sam From Bradley at NorthTech.US Thu Mar 28 12:33:13 2013 From: Bradley at NorthTech.US (Bradley D. Thornton) Date: Thu, 28 Mar 2013 09:33:13 -0700 Subject: [MaraDNS list] MaraDNS and denial-of-service attacks In-Reply-To: References: Message-ID: <515470C9.70507@NorthTech.US> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 03/28/2013 08:51 AM, Sam Trenholme wrote: > > One feature that would be nice would be to be able to restrict how > much data my DNS server sends to a given IP That will take you a while spending only one day a month or so dedicated to MaraDNS. Prolly better just to focus on keeping it current and squashing bugs as they pop up instead, IMO. Kindest regards, - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.310.388.9469 (US) TEL: +44.203.318.2755 (UK) TEL: +41.43.508.05.10 (CH) http://NorthTech.US -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Find this cert at x-hkp://pool.sks-keyservers.net iQEcBAEBAwAGBQJRVHDIAAoJEE1wgkIhr9j36jEH+wUekr/oMythMmjQvyTRPHYU RwInozt+p/O574DaISMGmk45OtzmBOvK5gAQ/MC7zw/NiMT63xnsFlNQZo6e7H56 3hZBEQEYMPY5GCgbvatwpmSh7RsnV2LqifN0dSgifzr/h4eZd02j7w79s1ht3iOb GD76XsId879/lLOXXuz3jFihkUsUZaPTh1hb9oSBiZ/MhycF5xTsMSHkCFfkb0kA R8GydwDQAP24MxS340F+9lIYzA35iHJqZ2TJJbXua7hN0dQHcMiqtfZGDoLfB0fa QbuXRoLaCI6DauoK0P/f9CbHB275VRH3TwWnbTdMFuysKsDjgGsA9o6CmJAU7QU= =CY9P -----END PGP SIGNATURE-----