[Pdns-users] protect using fail2ban

Steffan Noord steffannoord at gmail.com
Fri Jan 31 08:44:14 UTC 2014


So conclusion
Do not use a firewall unless your under attack.
Then use a firewall to filter out the attacker and block him at the front
end.

Steffan

-----Oorspronkelijk bericht-----
Van: pdns-users-bounces at mailman.powerdns.com
[mailto:pdns-users-bounces at mailman.powerdns.com] Namens John WH Smith
Verzonden: donderdag 30 januari 2014 18:44
Aan: pdns-users at mailman.powerdns.com
Onderwerp: Re: [Pdns-users] protect using fail2ban

I wouldn't rule out the possibility to block (legitimate) users even out of
the DoS context. DNS are probably the most requested network component on
your machine : it wouldn't be unusual for the same IP to process N>10 DNS
requests in a matter of seconds (bots, opening browser tabs, connecting mail
servers relying on the domain, and so on). That's part of the reasons for
using UDP in DNS transactions.

Now about the DoS risk : it might take some power to bring down a DNS
server, especially if you consider the DNS secondary servers. With 2, 3 or 4
servers registered for your domain, it takes 2/3/4 times as much power to
make the whole service unavailable... Someone with such power would probably
use it to crush your bandwidth, not your application layer... (not to
mention the spoofing problem mentioned by Andreas Tauscher).

DoS attacks should be handled far before requests reach your server. You may
want to ask your provider about its installation before setting up too
restrictive/dangerous rules through something like fail2ban.

On 30/01/14 16:19, Andreas Tauscher wrote:
>> In the past i had a dns flood so im trying to setup some firewall
options.
>> I found this on the list.
>> But you say that is not the right way to do ?
> As Aki Tuomi wrote: Are you absolutely sure you know what you are doing?
>
> Most of DNS traffic is UDP. The sender address in such an flood might 
> be faked or normally is faked. By blocking it automatic you open the 
> possibility of an DOS attack to your legitimated users.
>
> Andreas
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users





More information about the Pdns-users mailing list