FW: Preventing a particular type of nameserver abuse

Richard T.A. Neal richard at richardneal.com
Tue Apr 13 22:37:22 UTC 2021

Julien Salort wrote:

> Do you block specifically the dns queries in the firewall, or straight out block the IP?

I specifically block both UDP 53 and TCP 53, but that's essentially a full block because these servers are only running BIND, nothing else.

> Reading this thread, I considered simply enabling the fail2ban named-refused jail, but they advise against it because it would end up blocking the victim rather than the attacker.

I'm happy to be corrected by more knowledgeable people than me, but I don't necessarily agree with fail2ban's recommendation. By blocking traffic to the victim (which is what I'm doing by blocking traffic from the spoofed Source IP, because no inbound traffic means no outgoing replies) then I'm helping to protect the victim, or at least prevent my server being used in the reflection attack against that victim.


More information about the bind-users mailing list