In connection with CVE-2013-6320, which corrects a possible security
vulnerability on Windows versions of BIND, new releases are available
at http://www.isc.org/downloads
- 9.9.4-P1
- 9.8.6-P1
- 9.6-ESV-R10-P1
The official announcement for this vulnerability has been sent to
the bind-ann
Simon Forster wrote:
>
> Excellent info. Thank you. What's the specs of the machine you're testing on?
An old-ish Dell Optiplex 760, Core 2 Duo, 3.16 GHz, 4GB RAM.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough,
On 23 Sep 2013, at 19:24, Tony Finch wrote:
> Simon Forster wrote:
>>
>> As a matter of interest, if one had a DNSBL with 5.5 million entries
>> (i.e. 5.5 million IPs):
>>
>> 1) What needs to be done to rewrite that to a BIND zone?
>> 2) What sort of machine would be required to load that zon
Simon Forster wrote:
>
> As a matter of interest, if one had a DNSBL with 5.5 million entries
> (i.e. 5.5 million IPs):
>
> 1) What needs to be done to rewrite that to a BIND zone?
> 2) What sort of machine would be required to load that zone?
> 3) How long would it take to load into BIND?
I did
On 23 Sep 2013, at 15:59, Vernon Schryver wrote:
>> From: Eliezer Croitoru
>
>>> Major DNSBL providers have years since limited anonymous clients for
>>> business or other reasons. For example, I think Spamhaus limits
>>> anonymous clients to fewer than 3 queries/second.
>
>> and I doubt the
On Sep 23, 2013, at 7:59 AM, Vernon Schryver wrote:
> From: Eliezer Croitoru
>
>> I was looking for something like that but I am sure a dynamic DB is
>> needed for the task right?
>
> Large DNSBLs are not very dynamic, because they have relatively few
> changes per day. From another perspect
> From: Eliezer Croitoru
> > Major DNSBL providers have years since limited anonymous clients for
> > business or other reasons. For example, I think Spamhaus limits
> > anonymous clients to fewer than 3 queries/second.
> and I doubt they use RRL in the application level..
> I assume they limi
On 09/20/2013 05:12 PM, Vernon Schryver wrote:
> The potential RRL problem is when you provide high volume DNSBL service
> over the open Internet to DNS clients that are not authenticated.
> However, that is unlikely to be a worry, because providing DNSBL
> services over the open Internet is dubiou
On Fri, 2013-09-20 at 14:12 +, Vernon Schryver wrote:
> > From: Shane Kerr
>
> > With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups
> > fail, right? If you've got enough legitimate lookups going on to
> > trigger RRL then you're going to get lots of failures.
>
> If 6% i
> From: Shane Kerr
> With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups
> fail, right? If you've got enough legitimate lookups going on to
> trigger RRL then you're going to get lots of failures.
If 6% is "lots", then yes.
> One workaround for this is to set SLIP to 1. I kn
Hi Shane,
On Fri, 2013-09-20 at 11:38 +0200, Shane Kerr wrote:
> Noel,
>
> On 2013-09-20 12:48:31 (Friday)
> Noel Butler wrote:
>
> > On Fri, 2013-09-20 at 01:59 +, Vernon Schryver wrote:
>
> > > > plenty of delayed mail - hostname lookup failures (mostly because of
> > > > URI/DNS BL's),
Noel,
On 2013-09-20 12:48:31 (Friday)
Noel Butler wrote:
> On Fri, 2013-09-20 at 01:59 +, Vernon Schryver wrote:
> > > plenty of delayed mail - hostname lookup failures (mostly because of
> > > URI/DNS BL's), so it certainly works as intended :)
> >
> > That sounds unrelated to RRL. Agai
On Fri, 2013-09-20 at 01:59 +, Vernon Schryver wrote:
> > From: Noel Butler
>
> > now, I never ran it as patches, my policy is only use official upstream
> > sources, so my first play around was with 9.9.3.b2 I think it was.
>
> BIND 9.9.4 and its immediately preceding "beta" and "release
>
> From: Noel Butler
> now, I never ran it as patches, my policy is only use official upstream
> sources, so my first play around was with 9.9.3.b2 I think it was.
BIND 9.9.4 and its immediately preceding "beta" and "release
candidate" releases are the first versions of BIND that were not
"patche
Hi Vernon,
On Thu, 2013-09-19 at 23:42 +, Vernon Schryver wrote:
> BIND RRL has had whitelisting for trusted DNS clients that send repeated
> DNS requests since early days, long before any version of BIND 9.9.4.
> Look for 'exempt-clients{address_match_list};' in either the ARM that
> comes w
On Thu, 2013-09-19 at 23:40 +, Evan Hunt wrote:
> On Fri, Sep 20, 2013 at 09:20:29AM +1000, Noel Butler wrote:
> > I have been using this since 9.9.4bx, and although documentation is/was
> > lacking at the time, so there might be a whitelisting somewhere , but in
> > its absence, I highly advi
> From: Noel Butler
> I have been using this since 9.9.4bx, and although documentation is/was
> lacking at the time, so there might be a whitelisting somewhere , but in
> its absence, I highly advise against using RRL if your mail servers use
> those DNS servers
I believe there been no significa
On Fri, Sep 20, 2013 at 09:20:29AM +1000, Noel Butler wrote:
> I have been using this since 9.9.4bx, and although documentation is/was
> lacking at the time, so there might be a whitelisting somewhere , but in
> its absence, I highly advise against using RRL if your mail servers use
> those DNS ser
On Thu, 2013-09-19 at 16:04 -0700, Michael McNally wrote:
> New versions of BIND are now available from http://www.isc.org/downloads
>
New Features 9.9.4
Added Response Rate Limiting (RRL) functionality to reduce the
effectiveness of DNS as an amplifier for reflected denial-of-service
New versions of BIND are now available from http://www.isc.org/downloads
See the messages in bind-announce announcing BIND 9.9.4, 9.8.6,
and 9.6-ESV-R10 or read the release notes in the ISC Knowledge Base
(
https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/ )
for more in
20 matches
Mail list logo
