I am not sure where to go to ask this question, so I ask it here.
I am using Unbound to serve a public DNS server and I am looking for a way to prevent bot or server degrading my service by requesting the same domain name like 10 times per seconds. I thought of using fail2ban but for that I need to get the ip of the requester somewhere in the log, so I tried analyzing the log and changed the verbosity of the logging with unbound-control, but still I don’t find anything yet that I could use for this purpose.
Do you have any idea how I can achieve this goal?
Thank you!
Dominick Rivard
R&D Linux Developer
(514) 385-4448
Datavalet Technologies Inc.
5275 Queen Mary
Montreal, Quebec
H3W 1Y3
Tel: (866) 532-4448
Fax: (514) 385-6660
Notice:This message is confidential and privileged. If you are not the addressee, please inform the sender by return e-mail immediately and delete this message and destroy all copies. Avis :Ce message est confidentiel et protégé par le secret professionnel. Si vous n’êtes pas le destinataire, veuillez informer l’expéditeur par courrier électronique immédiatement et effacer ce message et en détruire toute copie.
On BSD I'd say use a pf rule to block the IP for a time period if X many concurrent states to port 53. Is something like that possible with iptables on Linux?
On BSD I'd say use a pf rule to block the IP for a time period if X
many concurrent states to port 53. Is something like that possible with
iptables on Linux?
Like a rate-limit for incoming connections? Yes, it's possible:
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name DNS -j DROP
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNS -j ACCEPT
The first rule block every tentative above 10 each minute, but it's a quick'n dirty
example, it's possible to have something better.
That would work on a general denial of service scenario (rate limiting)
but the OP wanted to block the client after X connections to the same
domain and with pf (and probably iptables) you cannot log the requested
domainname; you will need some userlevel magic here.
Thank you, everyone for your I'll test the log queries today on my testing
environment if I can get fail2ban to work with this log I will keep you
inform. The reason I want to use fail2ban is to automate the process of
banning the ip without having to manually create iptable rules by hand and
then manage them each time I have to add one. If this doesn't work I'll test
the iptables based on time.
Is there a reason you're running a public facing DNS server, OP? Seems kind of silly that you wouldn't just firewall it for the few people that need it.
