Julien Salort wrote: > Do you block specifically the dns queries in the firewall, or straight out > block the IP?
I specifically block both UDP 53 and TCP 53, but that's essentially a full block because these servers are only running BIND, nothing else. > Reading this thread, I considered simply enabling the fail2ban named-refused > jail, but they advise against it because it would end up blocking the victim > rather than the attacker. I'm happy to be corrected by more knowledgeable people than me, but I don't necessarily agree with fail2ban's recommendation. By blocking traffic to the victim (which is what I'm doing by blocking traffic from the spoofed Source IP, because no inbound traffic means no outgoing replies) then I'm helping to protect the victim, or at least prevent my server being used in the reflection attack against that victim. Best, Richard. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users