Installing bind is not very clear for me

[Noel Butler]

On 05/09/2015 05:00, Leandro wrote: 

> Reindl , I agree with you.
> One Firewall should be enough.
> So, what you consider this firewall should do ? 
> In my opinion:
> Block requests coming from a blacklist (Who will generate this list ?)
> Block denial of service requests. It needs to measure the requests rate to detects when is under attack.
> Block port scanners on publics ips.
> 
> I dont know what else ....
> Thanks.
> Leandro.

The only blacklists you should trust are your own, each network is
different, our gear in Australia fights off completely different
miscreants than our stuff in L.A does which again differs from our stuff
in Frankfurt, they rarely see the same miscreants. 

My background is ISP and web hosting, that hosting also included game
servers so we saw a few DDoS against them, but nothing we couldn't
handle. If you are a direct target for such activity you need to consult
someone who knows what they are doing if your bandwith cant cope, if
you're not a constant target, stop being so bloody paranoid :) 

I assume your in the private corporate world, so the best thing is
appropriate ACL's on your border router(s), allowing only the sort of
traffic you want for server group X of http(s) ports to web servers,
only p 53 to your DNS servers, layer7 policies are a bit overkill in my
opinion, so just use ports, if you do need such, then you need to
consult a network specialist, the bind users group is hardly the place,
but there is a person on this list who specialise in anti DoS and he
might pop his head up. 

In general iptables works a treat for X queries in X time, also fail2ban
works wonders to block those that persist if your servers are *nix
based, dont have a single M$ product so no idea what you should use on
them. 

and use modern version of bind and RRL. 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150905/a5661e1b/attachment-0001.html>