Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello,
i have a bind server (v9) for my mail server , for last 2 days , it send too much traffic , i tried drop requests from ips that send requests , it was good but is temporary solution . named process gets 10 to 15 percent of cpu , also i set these option on bind
clients-per-query 2;
max-clients-per-query 3;
What ARE the requests? BIND has to process a request to a given extent to know if should process it, so that can only ever help so much. sounds like you might want to just use the limit module in iptables to block dns floods
Thanks All
for info ,it was DNS Amplification Attack
i set in named .options
recursive-clients 5;
allow-recursion { any; };
allow-query {any;};
clients-per-query 1;
max-clients-per-query 3;
transfers-per-ns 2;
transfers-in 3;
transfers-out 3;
and also install failed2ban for bind (port 53)
till now every thing goes OK..
Last edited by hesisaboury; 03-05-2013 at 08:13 AM.
The .options limiting you did looks good to me but if you search this forum you'll find some recent threads about DNS amplification attacks this including links to NS best practices like CYMRU's ISC BIND templates, etc, etc. (Additionally this provides a nice write-up.) Just saying because there's a difference between utilizing ISC BIND as a caching name service for say only LAN clients and exposing it publicly, being the authoritative name server for domains. In the first case
Code:
allow-recursion { any; };
is useful, in the latter it is not. *Reading those docs you could conclude the iptables limit module may be helpful, only as an additional measure, because using it does not address the core problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.