[Pdns-users] protect using fail2ban
John WH Smith
jwhsmith at englandmail.com
Thu Jan 30 17:44:22 UTC 2014
I wouldn't rule out the possibility to block (legitimate) users even out
of the DoS context. DNS are probably the most requested network
component on your machine : it wouldn't be unusual for the same IP to
process N>10 DNS requests in a matter of seconds (bots, opening browser
tabs, connecting mail servers relying on the domain, and so on). That's
part of the reasons for using UDP in DNS transactions.
Now about the DoS risk : it might take some power to bring down a DNS
server, especially if you consider the DNS secondary servers. With 2, 3
or 4 servers registered for your domain, it takes 2/3/4 times as much
power to make the whole service unavailable... Someone with such power
would probably use it to crush your bandwidth, not your application
layer... (not to mention the spoofing problem mentioned by Andreas
DoS attacks should be handled far before requests reach your server. You
may want to ask your provider about its installation before setting up
too restrictive/dangerous rules through something like fail2ban.
On 30/01/14 16:19, Andreas Tauscher wrote:
>> In the past i had a dns flood so im trying to setup some firewall options.
>> I found this on the list.
>> But you say that is not the right way to do ?
> As Aki Tuomi wrote: Are you absolutely sure you know what you are doing?
> Most of DNS traffic is UDP. The sender address in such an flood might be
> faked or normally is faked. By blocking it automatic you open the
> possibility of an DOS attack to your legitimated users.
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users