Re: Open Resolver Problems

Wed, 27 Mar 2013 11:56:04 -0700 

On Mar 27, 2013, at 11:54 AM, Owen DeLong <o...@delong.com> wrote:

> It's been available in linux for a long time, just not in BIND…
> 
> Here is a working ip6tales example:
> 
> -A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp -p udp 
> --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m udp 
> -p udp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m tcp -p tcp 
> --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m tcp 
> -p tcp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit 
> --limit 30/minute --limit-burst 90 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit 
> --limit 30/minute --limit-burst 90 -j ACCEPT
> 
> YMMV and you may wish to provide tighter limits (less than 30 QPM or a burst 
> of <90).


I am very concerned about examples such as this possibly being implemented by a 
well intentioned sysadmin or neteng type without understanding their query load 
and patterns.  bind with the rrl patch does log when things are happening.  
While the data is possible to extract from iptables, IMHO it's not quite as 
easy to audit as a syslog.

- Jared

Reply via email to