From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 3 00:26:29 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B97612A5 for ; Wed, 3 Dec 2014 00:26:29 +0000 (UTC) Received: from fallback.quonix.net (fallback.quonix.net [208.82.128.208]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 903FAC06 for ; Wed, 3 Dec 2014 00:26:29 +0000 (UTC) Received: from c.smtp.quonix.net (c.smtp.quonix.net [208.82.128.207]) by fallback.quonix.net (8.14.4/8.14.4) with ESMTP id sB2IIqKE004974 for ; Tue, 2 Dec 2014 18:18:52 GMT (envelope-from john@quonix.net) Received: from CORSAIR (pool-108-2-133-139.phlapa.fios.verizon.net [108.2.133.139]) by c.smtp.quonix.net (8.14.4/8.14.4) with ESMTP id sB300YbR089548 for ; Tue, 2 Dec 2014 19:00:34 -0500 (EST) (envelope-from john@quonix.net) From: "John Von Essen" To: Subject: Bind, DNS, and Denial of Service Date: Tue, 2 Dec 2014 19:00:06 -0500 Message-ID: <002e01d00e8c$1b7d6f40$52784dc0$@quonix.net> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 14.0 Content-Language: en-us Thread-Index: AdAOizL7eQ65amWvTISxcm41iPPnQQ== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2014 00:26:29 -0000 I figure this might be the best place to start this discussion. I've been using FreeBSD for ages for some core systems, one of those being Auth and public caching DNS. Lately I've been getting hit hard by reflective DDoS on DNS, so my old systems need some updating. Question is, what's the best/simplest solution moving forward? FreeBSD 9.3 or 10.1? Do I continue to use BIND with the rate-limiting feature, or go with something else? I will say, I tried to get a FreeBSD 10.1 instance running with BIND 10 - no luck, so I did BIND 9.9 with the RRL feature. It sort of worked, but was weird. I was getting a ton of weird responses on the server the moment I turned BIND on. Its been so long since I've worked on this stuff, my old 8.X machines have been running for years. I am open to using something else for the caching, but for the Auth I really want to stay with Bind. Its just really hard to implement BIND with RRL on newer freebsd distro's, I get the feeling that the FreeBSD folks want to move on from BIND. Any help would be appreciated. -John