Installing bind is not very clear for me
John Miller
johnmill at brandeis.edu
Fri Sep 4 19:54:18 UTC 2015
On Fri, Sep 4, 2015 at 3:29 PM, <sthaug at nethelp.no> wrote:
>> One Firewall should be enough.
>> So, what you consider this firewall should do ?
>> In my opinion:
>> Block requests coming from a blacklist (Who will generate this list ?)
>> Block denial of service requests. It needs to measure the requests rate
>> to detects when is under attack.
>> Block port scanners on publics ips.
>
> Before you put a firewall in front of a public facing name server,
> you might want to consider slide 16 of the following presentation:
>
> https://app.box.com/s/a3oqqlgwe15j8svojvzl
>
> The slide headline is "Stateful firewalls in front of servers
> considered harmful!" - and the author has ample arguments for his
> point of view.
>
Oh man.... Depending on your query volume, a stateful firewall in
front of a public NS sounds like a recipe for disaster--that
connection tracking table would get large quite quickly. We run
host-based firewalls on our DNS servers--but they're stateless on port
53. (uses the raw table in iptables to disable connection tracking)
John
More information about the bind-users
mailing list