James via bind-users
2018-09-26 00:07:32 UTC
Thank you for the https://www.isc.org/blogs/bind-9-packages/ blog post
and various binary distributions mentioned in it.
I am an end user, not a programmer, and I rely on Linux distributions
and application packages and so having up-to-date content from
authoritative sources is both helpful and very reassuring.
As a result of this, I now have the "stable" currently-9.12.2 version
from https://launchpad.net/~isc/+archive/ubuntu/bind installed on Ubuntu
18.04 here on my home desktop in order to hack away at something.
***
And that something is RPS... slight wrinkle: it doesn't seem to be
enabled in this build.
*Question:* Would it cause any problems to enable RPS the next time you
have a reason to kick off a build for this package?
This is not a crisis. However, over on my server, a year ago I learned
how to use Perl to write nfqueue handlers for use with nftables and one
of the things that I put in place was IPv4-and-IPv6 UDP DNS request
filtering with PCRE patterns figuring prominently in the logic.
The scary part is how well it works. 12 months of real-world experience
indicates that well over 99% of those requests that I do want to block
a) arrive on UDP and b) fit into the first packet, and after that it's
the amazing collection of Perl libraries that do all the heavy lifting
so that I just need to glue it together with some pretty ugly script...
but it works!
So I was looking forward to RPS having the effect of adding TCP to the
mix and doing a much more respectable job of extracting the queries.
Which does lead to the question about some RPS documentation but that's
sorta moot at this point.
***
Also, when running "named -V", I see both '--enable-static' and
'--disable-static' in the output. I have no idea if this is sensible or
not but it sure looks a little funny:
***@pc:~$ named -V
BIND 9.12.2-P2-1+ubuntu18.04.1+deb.sury.org+1-Ubuntu <id:b2bf278>
running on Linux x86_64 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27
15:21:48 UTC 2018
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=/usr/include' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu'
'--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
'--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-gost=no'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2'
'--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--disable-static' '--disable-native-pkcs11'
'--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind-BNj4_3/bind-9.12.2.P2+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro
-Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.3.0
compiled with OpenSSL version: OpenSSL 1.1.0g 2 Nov 2017
linked to OpenSSL version: OpenSSL 1.1.0g 2 Nov 2017
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.12.1
linked to libjson-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
***@pc:~$
--
- James
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
and various binary distributions mentioned in it.
I am an end user, not a programmer, and I rely on Linux distributions
and application packages and so having up-to-date content from
authoritative sources is both helpful and very reassuring.
As a result of this, I now have the "stable" currently-9.12.2 version
from https://launchpad.net/~isc/+archive/ubuntu/bind installed on Ubuntu
18.04 here on my home desktop in order to hack away at something.
***
And that something is RPS... slight wrinkle: it doesn't seem to be
enabled in this build.
*Question:* Would it cause any problems to enable RPS the next time you
have a reason to kick off a build for this package?
This is not a crisis. However, over on my server, a year ago I learned
how to use Perl to write nfqueue handlers for use with nftables and one
of the things that I put in place was IPv4-and-IPv6 UDP DNS request
filtering with PCRE patterns figuring prominently in the logic.
The scary part is how well it works. 12 months of real-world experience
indicates that well over 99% of those requests that I do want to block
a) arrive on UDP and b) fit into the first packet, and after that it's
the amazing collection of Perl libraries that do all the heavy lifting
so that I just need to glue it together with some pretty ugly script...
but it works!
So I was looking forward to RPS having the effect of adding TCP to the
mix and doing a much more respectable job of extracting the queries.
Which does lead to the question about some RPS documentation but that's
sorta moot at this point.
***
Also, when running "named -V", I see both '--enable-static' and
'--disable-static' in the output. I have no idea if this is sensible or
not but it sure looks a little funny:
***@pc:~$ named -V
BIND 9.12.2-P2-1+ubuntu18.04.1+deb.sury.org+1-Ubuntu <id:b2bf278>
running on Linux x86_64 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27
15:21:48 UTC 2018
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=/usr/include' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu'
'--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
'--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-gost=no'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2'
'--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--disable-static' '--disable-native-pkcs11'
'--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind-BNj4_3/bind-9.12.2.P2+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro
-Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.3.0
compiled with OpenSSL version: OpenSSL 1.1.0g 2 Nov 2017
linked to OpenSSL version: OpenSSL 1.1.0g 2 Nov 2017
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.12.1
linked to libjson-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
***@pc:~$
--
- James
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users