On Wed, Jan 22, 2014 at 1:33 PM, Daniel Fussell <[email protected]> wrote: > The one thing I know is, I'm being continually scanned by what appears > to be bots, on both tcp and udp, despite my refusal to do the recursion, > perhaps under the assumption I might screw up and start recursing > again. Moving to the assumption that I may be the intended target, my > response would be to cut off their communication with my server before > the server ever sees the packet; the sooner the drop, the better.
How bad is it? How much bandwidth or how many invalid queries per second are you experiencing? There is always some background noise associated with automated vulnerability scans/worms going around. To filter those packets before they reach your nameserver you'll have to employ some form of deep packet inspection. This requires just about as much processing power as your nameserver requires unless you buy specialized hardware. So the tradeoff becomes spending your time, management of a new process/system, and/or hardware to gain decreased outbound bandwidth usage. If the extraneous outbound bandwidth usage is high enough to impact your bottom line, it would be in your benefit to implement some form of DPI firewall like you were asking about. But, IMHO, it's probably not worth the tradeoff. Just do some simple blacklisting of extreme offenders. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
