Hello Lightner, Jeff, Am 2011-10-17 13:28:43, hacktest Du folgendes herunter: > While setting up blackholes in BIND works fine when I did this on > Linux I found that setting up iptables to do drops for known bad > IPs/ranges was slightly better as the traffic never gets to BIND in > the first place as it is stopped at kernel level. It simply DROPs the > packet without telling the bad guys why packets didn't go through. > > Example rules for various IPs that have annoyed me in the past: > -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP > -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP > -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP > -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP > -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP
...and you get the hell on you ass if you have several 1000 of them!
In this case, bind9 with RPZ is cheaper.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
itsystems@tdnet Jabber [email protected]
Owner Michelle Konzack
Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)
USt-ID: DE 278 049 239
Linux-User #280138 with the Linux Counter, http://counter.li.org/
signature.pgp
Description: Digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
