Your Linux Data Center Experts

As I mentioned previously about BIND response rate limiting, we recently had some problems with our DNS server being hammered, probably as part of a denial of service attack on some remote entities.

DNS is a fairly troublesome protocol because typically it uses UDP, and UDP makes it trivial to cause the server to send its response to an innocent third party.

The correct fix for this seems to be Response Rate Limiting, which there are some patches available for BIND. Request rate limiting, they suggest, happens at the wrong level, and can't tell the difference between someone asking for a bunch of distinct queries rather than the same query over and over like what our attack was about.

But, getting those patches applied to the RPMs for CentOS was a bit of a pain. Quite a bit, actually, took the better part of a day to get the new RPMs built and tested.

I've made availbale the packages I've built for 32-bit CentOS 6 at http://yum1.tummy.com/bind-rrl/centos/6/. You should be able to list this location in your “/etc/yum.repos.d/bindrrl.repo” file like this:

[bindrrl]
name=BIND RRL for Enterprise Linux 6 - $basearch
baseurl=http://yum1.tummy.com/bind-rrl/centos/$releasever/$basearch
enabled=1
gpgcheck=1

That should allow you to use yum to install and update to the RRL patched versions.

comments powered by Disqus

Join our other satisfied clients. Contact us today.