From owner-freebsd-questions Sat Mar 25 14:21:35 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail2.x-treme.gr (mail2.x-treme.gr [212.120.196.24]) by hub.freebsd.org (Postfix) with ESMTP id A408837B93E for ; Sat, 25 Mar 2000 14:21:29 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (pat48.x-treme.gr [212.120.197.240]) by mail2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id AAA30576; Sun, 26 Mar 2000 00:21:24 +0200 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id PAA24773; Sat, 25 Mar 2000 15:21:48 +0200 (EET) (envelope-from charon) Date: Sat, 25 Mar 2000 15:21:47 +0200 From: Giorgos Keramidas To: Kevin Oberman Cc: freebsd-questions@FreeBSD.ORG Subject: Re: DNS and FIREWALL Message-ID: <20000325152147.A24518@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <20000324043334.C303@hades.hell.gr> <200003241551.HAA01629@ptavv.es.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200003241551.HAA01629@ptavv.es.net>; from oberman@es.net on Fri, Mar 24, 2000 at 07:51:42AM -0800 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Mar 24, 2000 at 07:51:42AM -0800, Kevin Oberman wrote: > > A valid point. If your server gets lots of AXFRs for a large zone, the > lack of TCP capability would certainly block it. But, if I understand > the attack correctly, it would also be prevented by use of the > allow-transfer directive in the configuration. Oh, this deserves a big thanks. I just read about allow-query too in my bind docs. This is just what I was thinking. You can't always stop a DoS attack, especially if it comes in the form of many hundred udp requests. However, a properly tuned allow-query is an easy way of stopping well known 'problem sources'. Thanks for hinting on allow-transfer and making me read my bind docs more carefully ;) - Giorgos Keramidas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message