Hello Lightner, Jeff,

Am 2011-10-17 13:28:43, hacktest Du folgendes herunter:
> While setting up blackholes in BIND works fine when I did this on
> Linux I found that setting up iptables to do drops for known bad
> IPs/ranges was slightly better as the traffic never gets to BIND in
> the first place as it is stopped at kernel level.  It simply DROPs the
> packet without telling the bad guys why packets didn't go through.
> 
> Example rules for various IPs that have annoyed me in the past:
> -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP
> -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP
> -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP
> -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP
> -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP

...and you get the hell on you ass if you have several 1000 of them!
In this case, bind9 with RPZ is cheaper.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack

-- 
##################### Debian GNU/Linux Consultant ######################
   Development of Intranet and Embedded Systems with Debian GNU/Linux
               Internet Service Provider, Cloud Computing
                <http://www.itsystems.tamay-dogan.net/>

itsystems@tdnet                     Jabber  linux4miche...@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3                   Tel office: +49-176-86004575
77694 Kehl                          Tel mobil:  +49-177-9351947
Germany                             Tel mobil:  +33-6-61925193  (France)

USt-ID:  DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/

Attachment: signature.pgp
Description: Digital signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to