Dear NSD Users,
Recently, specifically in TLD operator circles, there has been a lot of discussion on the use of authoritative servers for reflection attacks.
We have been following these discussions with questions about the core-functionality of DNS, NSD’s lean-mean-thus-secure architecture, and good neighbourship in mind. We considered an external and generic tool to deal with reflection but assessed that having a method to prevent reflection attacks within the name server is the best way to lower deployment hurdles. Therefore, we have decided to incorporate a technique to deal with reflection attacks in NSD.
The technique is inspired on the work done by Vixie & Schryver [1] but will, because of biological diversity arguments, differ in some of its implementation details. Of course, it will be written from scratch by NLnet Labs. In the near future you may expect a blog-post on http://www.nlnetlabs.nl/blog/ with a description of the design.
We have prioritized this work and expect to have code available within a few months.
Thank you for using NSD.
– Olaf Kolkman
[1] http://ss.vix.com/~vixie/isc-tn-2012-1.txt
Awesome work! Great for having this in NSD!
Seems I'll have to be rolling NSD4 packages to test this and other new
features out shortly in the future.
Greets,
Jeroen
[ Quoting <wouter@NLnetLabs.nl> in "Re: [nsd-users] NSD and Reflection ..." ]
> by NLnet Labs. In the near future you may expect a blog-post on
> http://www.nlnetlabs.nl/blog/ with a description of the design.
>
> We have prioritized this work and expect to have code available
> within a few months.
And here is the blog post with the details on RRL for NSD:
http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
Will there be a way to turn off (or on) ratelimiting without restarting NSD?
Regards,
[ Quoting <wouter@NLnetLabs.nl> in "Re: [nsd-users] NSD and
Reflection ..." ]
by NLnet Labs. In the near future you may expect a blog-post
on http://www.nlnetlabs.nl/blog/ with a description of the
design.
We have prioritized this work and expect to have code
available within a few months.
And here is the blog post with the details on RRL for NSD:
http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
Will there be a way to turn off (or on) ratelimiting without
restarting NSD?
With NSD4, it will be possible to reload configuration settings. So
you should be able to turn off rate-limiting by updating the
configuration file, set the rate-limit option to 0 and reload NSD.
NSD3 does not allow reloading the configuration settings, so when the
RRL patch is ported back, you will have to restart NSD to turn on/off
rate-limiting.
Best regards,
Matthijs
[ Quoting <matthijs@NLnetLabs.nl> in "Re: [nsd-users] NSD and Reflection ..." ]
> Will there be a way to turn off (or on) ratelimiting without
> restarting NSD?
With NSD4, it will be possible to reload configuration settings. So
you should be able to turn off rate-limiting by updating the
configuration file, set the rate-limit option to 0 and reload NSD.
Cool, although overloading the rrl-ratelimit option in this way does not
have my preference. I rather leave these operational settings alone
and have a global ratelimit on/off switch.
NSD3 does not allow reloading the configuration settings, so when the
RRL patch is ported back, you will have to restart NSD to turn on/off
rate-limiting.
Ack.
grtz Miek