[Pdns-users] [Pdns-announce] Related to recent DoS attacks: Recursor configuration file guidance
Asif Murad Khan
asifmuradkhan at gmail.com
Thu Feb 6 15:51:49 UTC 2014
Hi Bert,
We have use CentOS 6.4 64-bit and install pdns-recursor 3.5.3-1
from monshouwer repository. now we have not face any ddos attack problem.
but we want to update it. have we get any update via repo.
regards,
Murad
On Thu, Feb 6, 2014 at 8:53 PM, bert hubert <bert.hubert at netherlabs.nl>wrote:
> Hi Winfried,
>
> The updated patch for 3.5.3 can be found on
>
> https://github.com/Habbie/pdns/commit/e24b124a4c7b49f38ff8bcf6926cd69077d16ad8
>
> I'll update the blog too.
>
> Bert
>
> On Thu, Feb 06, 2014 at 02:03:49PM +0100, abang wrote:
> > Hello Bert,
> >
> > Would you also provide the patch for the current version 3.5.3?
> >
> > Winfried
> >
> > Am 06.02.2014 13:10, schrieb bert hubert:
> > >Hi everybody,
> > >
> > >Over the past week we've been contacted by a few users reporting their
> > >PowerDNS Recursor became unresponsive under a moderate denial of service
> > >attack, one which PowerDNS should be expected to weather without issues.
> > >
> > >In the course of investigating this issue, we've found that many
> PowerDNS
> > >installations on Linux are configured to consume (far) more
> filedescriptors
> > >than are actually available, waisting resources.
> > >
> > >To check if this is the case for you, multiply the 'max-mthreads'
> setting by
> > >the 'threads' setting. Default values are 2048 and 2, leading to a
> > >theoretical FD consumption of 4096. Many Linux distributions default to
> > >1024. So, our defaults exceed the Linux defaults by a large margin!
> > >
> > >(FreeBSD defaults are far higher, and should not pose an issue).
> > >
> > >To fix, there are four options:
> > >
> > >1) Reduce max-mthreads to 512 (or threads to 1)
> > >2) Run 'ulimit -n 4096' before starting (perhaps put this in
> /etc/init.d/ script)
> > >3) Investigate defaults in /etc/limits.conf
> > >4) Apply the patch in
> https://github.com/PowerDNS/pdns/commit/3a8a4d68735a0465dff9623c49fb6bf45e0850d8
> > >
> > >The patch automates 1 and 2, either raising the limit if possible, or
> > >reducing max-mthreads until "it fits".
> > >
> > >Thank you for your attention, and if you have results to report to us on
> > >previous or current DoS attacks, please contact me privately!
> > >
> > > Bert
> > >
> >
> >
>
> _______________________________________________
> Pdns-announce mailing list
> Pdns-announce at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-announce
>
--
Asif Murad Khan
Cell: +880-1713-114230
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140206/1e42dc43/attachment-0001.html>
More information about the Pdns-users
mailing list