[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: named on lenny

> > On Sun, 08 Mar 2009, Leonardo Boselli wrote:
> >> they have to supply dns service to everyone.

> Wednesday, March 11, 2009, 2:52:56, Henrique de Moraes Holschuh wrote:
> > That will make you a DoS amplification point, and yet another problem for
> > the Internet at large.  Do not do it.

On 11.03.09 09:31, Marek Podmaka wrote:
> I also have similar setup due to historical reasons. But as a reaction
> to the new attacks (". IN NS" and TXT queries) I have turned on
> fail2ban for bind's querylog. I block every IP which does more than
> 100 requests (only TXT, NS and MX) in 3 minutes (except my own
> servers' IP).

You should better turn off recursive service for everyone and allow only
authorized clients (either by their IP, or by their TSIG).
The above is NOT the only reason not to provide recursive DNS to anyone.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
Reply to: