La Salle Debain
Open Source @ Consolidated Braincells Inc.
This is a weblog I'm keeping about my work on Debian and any other useful Debian related info I come across. It is not meant to compete with other news sources like Debian Weekly News or Debian Planet. Mostly it is just a way for me to classify and remember all the random bits of information that I have floating around me. I thought maybe by using a blog it could be of some use to others too. Btw. "I" refers to Jaldhar H. Vyas, Debian developer for over 8 years. If you want to know more about me, my home page is here.
The name? Debain is a very common misspelling of Debian and la salle de bains means bathroom in French.
If you have a comment to make on something you read here, feel free to write to me at jaldhar@debian.org.
You can get an rss 0.91 feed of the blog here.
On Monday, I was informed that my server (a xen instance hosted at Brainfood was chewing up a lot of bandwidth by giving out long DNS responses at the rate of several per second. According to Peter Palfrader, it was most likely due to this DoS attack.
Apparently I was contributing to the problem because my name server (running bind9 ) was accepting queries from anywhere on the Internet. You can test this via an online tool from SANS or by issuing the following command from a machine which is not on your network.
dig -t ns @your.name.serverIf the status that comes back is NOERROR, you have a problem.
The fix is to restrict the IPs you allow queries from by adding the allow-query directive to your bind configuration. If you are using the stock Debian setup, add it in the options stanza in /etc/bind/named.conf.options
Because all my services run on one machine, I did it like this:
allow-query { localhost; };If yours are spread out over several hosts, you need to add all their IPs.
If you are authoritative for any zones, you want to allow queries from anywhere so add
allow-query { any; };to the stanza for each zone. In a stock Debian setup, these are in /etc/bind/named.conf.local
Once you have done this and restarted bind, go back to the online tool or run dig again. If status is REFUSED, congratulations you have saved the Internet.
# = permanent link for this entry.
![[Valid RSS]](/debian/images/valid-rss.png "Validate my RSS feed"){kind=small}
Buy my books: