From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 3 03:35:04 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 532DEA39 for ; Wed, 3 Dec 2014 03:35:04 +0000 (UTC) Received: from mail.egr.msu.edu (hill.egr.msu.edu [35.9.37.162]) by mx1.freebsd.org (Postfix) with ESMTP id 182801BA for ; Wed, 3 Dec 2014 03:35:03 +0000 (UTC) Received: from hill (localhost [127.0.0.1]) by mail.egr.msu.edu (Postfix) with ESMTP id AFD883056F for ; Tue, 2 Dec 2014 22:26:05 -0500 (EST) X-Virus-Scanned: amavisd-new at egr.msu.edu Received: from mail.egr.msu.edu ([127.0.0.1]) by hill (hill.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0O2NiTI3Omx9 for ; Tue, 2 Dec 2014 22:26:05 -0500 (EST) Received: from EGR authenticated sender Message-ID: <547E82CC.3040007@egr.msu.edu> Date: Tue, 02 Dec 2014 22:26:04 -0500 From: Adam McDougall User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Re: Bind, DNS, and Denial of Service References: <002e01d00e8c$1b7d6f40$52784dc0$@quonix.net> <381c25e1046453b9f7a5c94809e7d7fb@ultimatedns.net> <004e01d00ea0$6b7c7860$42756920$@quonix.net> In-Reply-To: <004e01d00ea0$6b7c7860$42756920$@quonix.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2014 03:35:04 -0000 On 12/02/2014 21:25, John Von Essen wrote: > Thanks... Right now I have a FreeBSD 9.3 system, after a clean install I went in and built Bind99 from ports with the RRL option. You may want to consider bind910 which is 9.10 and newer. > > Question is how do I force /etc/rc.d/named to use the new bind9.9 that I built from ports and now resides in /usr/local/sbin? On FreeBSD 10+, /etc/rc.d/named is gone but the bind ports install a named script in /usr/local/etc/rc.d/. I'm doing this and all I need is named_enable="YES" in /etc/rc.conf. > > Do I just edit /etc/defaults/rc.conf and tell it to use /usr/local/sbin/named instead of /usr/sbin/named? Never edit /etc/defaults/*. Always edit the /etc/rc.conf equivalent (copy lines from /etc/defaults) or even /etc/rc.conf.local or files in /etc/rc.conf.d/. See the rc.conf manpage for more info. If you do use /etc/rc.d/named, you can edit these in your own rc.conf: named_program="/usr/sbin/named" # Path to named, if you want a different one. named_conf="/etc/namedb/named.conf" # Path to the configuration file > > I thought there might be a cleaner way to do this, just curious. > > -John > > -----Original Message----- > From: Chris H [mailto:bsd-lists@bsdforge.com] > Sent: Tuesday, December 02, 2014 9:18 PM > To: freebsd-hackers@freebsd.org; John Von Essen > Subject: Re: Bind, DNS, and Denial of Service > > On Tue, 2 Dec 2014 19:00:06 -0500 "John Von Essen" wrote > >> I figure this might be the best place to start this discussion. >> >> >> >> I've been using FreeBSD for ages for some core systems, one of those >> being Auth and public caching DNS. >> >> >> >> Lately I've been getting hit hard by reflective DDoS on DNS, so my old >> systems need some updating. >> >> >> >> Question is, what's the best/simplest solution moving forward? FreeBSD >> 9.3 or 10.1? Do I continue to use BIND with the rate-limiting feature, >> or go with something else? >> >> >> >> I will say, I tried to get a FreeBSD 10.1 instance running with BIND >> 10 - no luck, so I did BIND 9.9 with the RRL feature. It sort of >> worked, but was weird. I was getting a ton of weird responses on the >> server the moment I turned BIND on. >> >> >> >> Its been so long since I've worked on this stuff, my old 8.X machines >> have been running for years. >> >> >> >> I am open to using something else for the caching, but for the Auth I >> really want to stay with Bind. Its just really hard to implement BIND >> with RRL on newer freebsd distro's, I get the feeling that the FreeBSD >> folks want to move on from BIND. >> >> >> >> Any help would be appreciated. > > Hello, John. > > FWIW You might find dns/nsd a good fit. It's even possible to get it to output "Bind like" log messages. I've replaced the Bind on all, but one of our servers with it. In an effort to evaluate it for being a replacement. I'm finding it difficult to keep the last server still running the Bind going. > So I'll probably have to replace it with something soon. Just haven't *yet* determined *what* other DNS to evaluate. I only ran into one issue with it (NSD). It was NSD itself, and the reaction time is extremely good (less than a week), and a new > (fixed) version was out. > > Anyway. Just thought I'd share my experience. In case it helps. > > --Chris > >> >> >> >> -John >> >> >> >> >> >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >