[ratelimits] patches for BIND 9.8.5-P2 and 9.9.3-P2
Vernon Schryver
vjs at rhyolite.com
Fri Jul 26 22:48:59 UTC 2013
Given
https://lists.isc.org/pipermail/bind-announce/2013-July/000859.html
https://lists.isc.org/mailman/private/bind-workers/2013-July/003209.html
https://lists.isc.org/pipermail/bind-users/2013-July/091252.html
new RPZ and RRL patches for BIND 9.8.5-P2 and 9.9.3-P2 are available
by following the link labeled "Patch files for BIND9"
on http://www.redbarn.org/dns/ratelimits
The RPZ code in those patches supports "rpz-client-IP" triggers and
"rpz-drop" and "rpz-tcp-only" policies. The new trigger can be used
with any RPZ policy and both new policies can be used with any trigger.
That allows so dubious schemes such as dropping all requests for some
domains or forcing them them TCP. I hope their intended application
is more useful. A response policy zone of DNS reflection attack
victims with a TCP-only policy might mitigate attacks that are too
distributed to trigger RRL at any single authority. A policy zone of
unreconstructed open resolvers with a drop policy is similar to a mail
DNSBL.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list