> ... I have a DNS server running in my DMZ behind a three interface
> shorewall firewall. I have started to see some DOS attacks on the
> name server ...
Dumb question: are there ANY legitimate external uses of your DNS servers?
If the _only_ legitimate external use of your DNS servers is to look up the
name->IP your firewall presents to the open Internet, maybe you can subcontract
that one entry to some external provider (for example whatever service your DNS
domain name is 'registered' with). Then your own DNS servers become entirely
private. (IMHO it often doesn't make a whole lot of sense to expose an entire
BIND server to the Internet for just one entry.)
Once there are _no_ legitimate external uses of your DNS servers, it seems to
me there's a real simple answer: Allow DNS traffic that _originates_ from the
servers (pulling zone transfers, recursing requests, etc.), but disallow all
DNS traffic that comes from outside. Just add a rule something like this:
DROP net dmz tcp 53
(If that definition of "originating" at first seems awkward, remember what
matters to Shorwewall/IPtables is 'who spoke first?', not 'which way is the
data flowing?', so it really does make sense.)
Depending on your environment, maybe you don't need the complexity of banning
individual IPs after all - maybe just an unchanging blanket policy is
sufficient.
thanks! -Chuck Kollars
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
