From: Yaroslav H. <li...@on...> - 2007-07-29 15:44:50
|
And please find filter attached (I've sent it to the list few times already but list server for some reason didn't forward my emails to the list). I want to mention once again that there is a possibility of DoS against your server, so use this filter/jail with caution: * Add your local IPs to ignoreip (so your local boxes can't be denied access) * Do not enable permanent banning for the jail (bantime = -1) -- just make it sufficiently long (like an hour: bantime = 3600) * It is better to ban only DNS specific ports (so do not use iptables-all or shorewall actions), so that you do not provoke DoS against the server if it hosts other services * Enable both udp and tcp jails (some small portion of queries from outside can come through TCP) Jail configuration in debian (in stock jail.conf you would need to specify action explicitely) for named-refused would be: # DNS Servers # Mention: by default logging is off with bind installation. # Need smth like # logging { # channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 30m; severity dynamic; print-time yes; }; # category lame-servers { lame-servers_file; }; # } # in your named.conf to provide proper logging [named-refused-udp] enabled = false port = domain,953 protocol = udp filter = named-refused logpath = /var/log/named/lame-servers.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/lame-servers.lo On Sat, 28 Jul 2007, Richard Creighton wrote: > If you run a DNS server on your system you probably have been plagued > with external sites trying to forward queries through your DNS server. > Even though you probably have told your named.conf to allow-query -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |