Categories
DNS

Compiling bind9 on linux with Response Rate Limiting (to prevent DDoS DNS attacks)

This tutorial can easily be applied to most any linux system. I went through these steps on Debian 7 server.

First let’s setup the environment, this tutorial assumes you have no previous install of bind on the server.

mkdir -p /var/local/cache/bind
mkdir -p /usr/local/etc/bind

We are assuming group id and user id 5005 are free, you may need to substitute ids

groupadd -g 5005 bind
useradd -u 5005 -g 5005 -d /var/local/cache/bind -M -s /bin/false bind


 Now let’s download the bind9 source code. This tutorial assumes you have the required dependencies installed. The only one I found tricky to locate was libkrb5-dev (on Debian you can install it with apt-get install libkrb5-dev)

cd /usr/src
wget http://ftp.isc.org/isc/bind9/cur/9.9/bind-9.9.5-P1.tar.gz
tar zxvf bind-9.9.5-P1.tar.gz
cd bind-9.9.5-P1
./configure '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' '--enable-rrl'
make
make install
wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /usr/local/etc/bind/db.root


 Last step is to install the configuration files and startup scripts.

rndc-confgen -a -c /usr/local/etc/bind/rndc.key
cat > /etc/named.conf <<EOT
 include "/usr/local/etc/bind/rndc.key";
 include "/usr/local/etc/bind/named.conf";
EOT
cat > /usr/local/etc/named.conf <<EOT
#
controls {
 inet 127.0.0.1 port 953
 allow { 127.0.0.1; 192.168.1.100; } keys { "rndc-key"; };
 };
options {
 directory "/var/local/cache/bind";
 allow-new-zones yes;
 transfers-in 500;
 empty-zones-enable yes;
 //forwarders { 8.8.8.8; 8.8.4.4; };
 recursion no;
 //allow-transfer {"none";};
 allow-query { any; };
 dnssec-validation auto;
 auth-nxdomain no;    # conform to RFC1035
 listen-on-v6 { any; };
 rate-limit {
  responses-per-second 5;
  #window 5;
  #log-only yes;
  };
};
zone "." {
 type hint;
 file "/usr/local/etc/bind/db.root";
};
EOT
chown bind:bind -R /var/local/cache/bind
chown bind:bind -R /usr/local/etc/bind

Please note the init.d scripts only work on Debian based systems. I do not have init.d scripts for any other distribution.

Download the init.d script here

Download the init.d default file here


 Copy the init.d script to /etc/init.d/bind9

Copy the init.d default file to /etc/default/bind9

chmod +x /etc/init.d/bind9
/etc/init.d/bind9 start

Leave a Reply

Your email address will not be published. Required fields are marked *