[SURBL-Discuss] Re: tips for SURBL on setting up reverse proxy NS's? (fwd)

Jeff Chan jeffc at surbl.org
Tue Apr 20 03:30:57 CEST 2004

On Monday, April 19, 2004, 11:27:24 AM, Justin Mason wrote:
>> I'm running one of the proxies for openrbl.org.  It's dead easy to set
>> this up -- a copy of Pound, a dedicated IP address, and 5 minutes to
>> write a 20 line config file.  Pound helps "clean" the requests, and
>> hides the real back-end server.
>> The portion of openrbl.org I proxy uses under 10kbps on average, with a
>> spike every few days for up to a few hours when someone tries to smack
>> it.  I run the IP through a 64kbps pipe with ipfw (gateway box runs
>> FreeBSD) for extra warmfuzzies, and packet filter all but port-80 to the
>> IP I've assigned.
>> > [...] fancy posting to discuss at lists.surbl.org with tips?
>> I'm at my quota for mailing lists -- if I subscribe to another, my nose
>> will bleed.  Pound is dead easy.  I would venture to guess that someone
>> who can't get it running probably shouldn't.
>> Pound is at http://www.apsis.ch/pound/, or in ports/www/pound if you're
>> FreeBSDing it.

Thanks for checking around for us, Justin.  Looks like pound is a
reverse proxy for distributing web traffic to multiple
behind-the-scenes web servers.  It sounds like a generally useful
program.  We certainly could to something like that, and I could
see how it would be important to an operation like openrbl which
depends on web service to provide it's info out to folks. 

My solution is a little cruder but hopefully effective: limit
MaxClients to some low enough number that the bad guys can't
DOS us through web requests.  Currently I have our Apache
MaxClients set to 100, but I may lower it to say a fairly low 50.
May also bring up web service on another server and use simple
round-robin DNS for load balancing.  Key though is that web is of
lesser importance to us than DNS service, so if we lose web, it's
not as much of a big deal as it would be to folks like openrbl.

> Another tip from the SBL folks:

>> I'm not even sure where the root SBL zone server is.  All the public zone
>> servers and AXFR feeds are seperate.  Query load is rather large, so
>> sub-zones are being broken out to two levels, allowing for more
>> nameservers to spread out the load.  (Admins are encouraged to use
>> close-by servers when possible.)  Check "NS" records for
>> "sbl.spamhaus.org".

Yes, if we can get some more secondaries signed on board, I may
take the source servers out of the registration and delegation
entirely (to hide them a little) and let the secondaries do all
the DNS.  Heck we could probably do that now.  Maybe we'll
combine it with some other changes mentioned below.

>> Probably goes without saying, but selecting a zone name that can be "end
>> of lifed" when needed should be considered.

> Also, someone else mentioned that the top-level zone, "surbl.org" for
> example, may become the target.  So that also needs 2ndaries.

Yep, we now have secondaries for the top level zone surbl.org.
All the secondaries of the SURBL subdomains are also secondarying
the parent domain.  It becomes much harder to DOS the parent
domain because of that.  Thanks secondaries!!  :-)

Also I have some other strategies for some redundancy and
DOS resistance that I will share with (at least) the secondaries
once I get another server or two set up.


Jeff C.

More information about the Discuss mailing list