权威DNS的防攻击相对容易一些,对于一般的小公司的话可以使用rrl模块做简单的限速就能取得不错的效果。测试过开启限速后使用queryperf去打,bind的负载基本不会上升的。递归DNS的防攻击会负责很多。如果单纯使用开源的解决方案就只有rrl和rpz这2个东东可以考虑了。值得一提的是在bind9.9.4里把这2个patch合并进去了。现在最新版的bind都是可以使用rpz设置对每个不同的域名做返回策略,rrl也可以限制好单个IP或IP段的频率。编译参数:
#/opt/bind/sbin/named -V
BIND 9.9.4-P2 (Extended Support Version) <id:3f00a920> built with '--prefix=/opt/bind/' '--enable-rrl' '--enable-epoll' '--enable-threads'
using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012
rrl的配置可以参考:
rate-limit { responses-per-second 20; nodata-per-second 10; nxdomains-per-second 10; errors-per-second 10; //all-per-second 60; ipv4-prefix-length 32; max-table-size 10000; slip 2; //log-only yes ; qps-scale 50000; window 5; };
其中ipv4-prefix-length设置掩码为32位,就是对每个IP都独立限速, responses-per-second是对每个客户端响应速度上限。qps-scale是一个系数,比如设置qps-scale 250;
responses-per-second 20,当访问的qps是1000的时候,对单个ip的限速就变成了250/1000*20=5。详细的配置可以参考http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#options
[ rate-limit { [ responses-per-second number ; ] [ referrals-per-second number ; ] [ nodata-per-second number ; ] [ nxdomains-per-second number ; ] [ errors-per-second number ; ] [ all-per-second number ; ] [ window number ; ] [ log-only yes_or_no ; ] [ qps-scale number ; ] [ ipv4-prefix-length number ; ] [ ipv6-prefix-length number ; ] [ slip number ; ]
[ exempt-clients { address_match_list } ;
]
[ max-table-size number ; ] [ min-table-size number ; ] } ; ] [ response-policy { zone_name [ policy given | disabled | passthru | nxdomain | nodata | cname domain ]
[ recursive-only yes_or_no ] [ max-policy-ttl number ] ;
rpz的配置如下options字段新增
response-policy { zone “rpz.zone” policy given; };
然后在每个view里新增
zone “rpz.zone” { type master; file “master/rpz.zone”; allow-update {none;}; };
rpz.zone范例如下:
$TTL 30
@ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
NS localhost.
google.com IN CNAME google.com. www.abc.com IN CNAME www.abc.com. a.gnuers.org CNAME blogd.gnuers.org. no.gnuers.org CNAME . no1.gnuers.org CNAME *. host.gnuers.org CNAME . www.test.fr IN A 193.252.1.2 *.lala.com IN A 200.237.2.1
这样*.lala.com都会被解析为200.237.2.1,而对于no.gnuers.org会直接返回nxdomain, AUTHORITY SECTION会有rpz.zone的信息。
dig @127.0.0.1 no.gnuers.org
; «» DiG 9.8.1-P1 «» @127.0.0.1 no.gnuers.org ; (1 server found) ;; global options: +cmd ;; Got answer:
;
;
->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7410
;
;
flags: qr rd ra;
QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;no.gnuers.org. IN A
;; AUTHORITY SECTION:
rpz.zone. 30 IN SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 12 12:48:05 2014 ;; MSG SIZE rcvd: 97
日志的话可以单独设置一下
channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m;
severity dynamic;
print-time yes;
};
category rate-limit {rrt_log;}; category rpz {rpz_log;};
rpz的主要用途主要有几方面:1. 把部分做反射攻击的域名封掉。2. 把内部域名屏蔽掉,直接返回NXDOMAIN。3. 屏蔽部分暴力,黄色,诈骗网站。