[Pdns-users] protect using fail2ban

John WH Smith jwhsmith at englandmail.com
Thu Jan 30 17:44:22 UTC 2014

I wouldn't rule out the possibility to block (legitimate) users even out 
of the DoS context. DNS are probably the most requested network 
component on your machine : it wouldn't be unusual for the same IP to 
process N>10 DNS requests in a matter of seconds (bots, opening browser 
tabs, connecting mail servers relying on the domain, and so on). That's 
part of the reasons for using UDP in DNS transactions.

Now about the DoS risk : it might take some power to bring down a DNS 
server, especially if you consider the DNS secondary servers. With 2, 3 
or 4 servers registered for your domain, it takes 2/3/4 times as much 
power to make the whole service unavailable... Someone with such power 
would probably use it to crush your bandwidth, not your application 
layer... (not to mention the spoofing problem mentioned by Andreas 

DoS attacks should be handled far before requests reach your server. You 
may want to ask your provider about its installation before setting up 
too restrictive/dangerous rules through something like fail2ban.

On 30/01/14 16:19, Andreas Tauscher wrote:
>> In the past i had a dns flood so im trying to setup some firewall options.
>> I found this on the list.
>> But you say that is not the right way to do ?
> As Aki Tuomi wrote: Are you absolutely sure you know what you are doing?
> Most of DNS traffic is UDP. The sender address in such an flood might be
> faked or normally is faked. By blocking it automatic you open the
> possibility of an DOS attack to your legitimated users.
> Andreas
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list