[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
- Subject: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
- From: jared at puck.Nether.net (Jared Mauch)
- Date: Tue, 4 Aug 2015 19:34:51 -0400
- In-reply-to: <[email protected]>
- References: <[email protected]> <[email protected]>
On Tue, Aug 04, 2015 at 12:00:32PM -0400, Jared Mauch wrote:
> I recommend using DNSDIST to balance traffic at a protocol level as you can have implementation diversity on the backside.
>
Here's an example dnsdist config you might find helpful:
This sends queries to the first two servers unless
they are for domains in the "nether" pool list. They go to
other servers.
You can restrict access based on the Acl.
newServer("x.x.223.10")
newServer("x.x.223.20")
;setServerPolicy(firstAvailable) -- first server within its QPS limit
setServerPolicy(leastOutstanding)
webserver("0.0.0.0:8083", "AskMe")
addACL("192.168.0.0/22")
addACL("10.0.0.0/16")
addACL("172.16.22.0/24")
setKey("AskMe")
controlSocket("127.0.0.1:1099")
newServer{address="129.250.35.250", pool="nether"}
newServer{address="129.250.35.251", pool="nether"}
newServer{address="8.8.8.8", pool="nether"}
addPoolRule({"ntt.net.", "nether.net."}, "nether")
addPoolRule({"arpa.", "google.", "gmail.com.", "google.com.", "googlemail.com."}, "nether")
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.