Installing bind is not very clear for me

John Miller johnmill at
Fri Sep 4 19:54:18 UTC 2015

On Fri, Sep 4, 2015 at 3:29 PM,  <sthaug at> wrote:
>> One Firewall should be enough.
>> So, what you consider this firewall should do ?
>> In my opinion:
>> Block requests coming from a blacklist (Who will generate this list ?)
>> Block denial of service requests. It needs to measure the requests rate
>> to detects when is under attack.
>> Block port scanners on publics ips.
> Before you put a firewall in front of a public facing name server,
> you might want to consider slide 16 of the following presentation:
> The slide headline is "Stateful firewalls in front of servers
> considered harmful!" - and the author has ample arguments for his
> point of view.

Oh man....  Depending on your query volume, a stateful firewall in
front of a public NS sounds like a recipe for disaster--that
connection tracking table would get large quite quickly.  We run
host-based firewalls on our DNS servers--but they're stateless on port
53.  (uses the raw table in iptables to disable connection tracking)


More information about the bind-users mailing list