On Fri, Sep 4, 2015 at 3:29 PM, <sth...@nethelp.no> wrote: >> One Firewall should be enough. >> So, what you consider this firewall should do ? >> In my opinion: >> Block requests coming from a blacklist (Who will generate this list ?) >> Block denial of service requests. It needs to measure the requests rate >> to detects when is under attack. >> Block port scanners on publics ips. > > Before you put a firewall in front of a public facing name server, > you might want to consider slide 16 of the following presentation: > > https://app.box.com/s/a3oqqlgwe15j8svojvzl > > The slide headline is "Stateful firewalls in front of servers > considered harmful!" - and the author has ample arguments for his > point of view. >
Oh man.... Depending on your query volume, a stateful firewall in front of a public NS sounds like a recipe for disaster--that connection tracking table would get large quite quickly. We run host-based firewalls on our DNS servers--but they're stateless on port 53. (uses the raw table in iptables to disable connection tracking) John _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
