0

In our project infrastructure we have a nameserver, based on bind9. This nameserver is configured as primary and authoritative, so it is quite important. The question is, should I install and configure fail2ban for the purpose of protecting this DNS server? Is it worth it? I tried searching fail2ban configurations for Bind9/named, but there are only a few, and it seems like it is not something that people do (at least post) much.

If it makes any difference, Bind9 is running in a docker container with exposed 53/udp port.

hancack
  • 31
  • 2
  • What would the point be if it is a public service? (also UDP can be spoofed, but remember that DNS uses both UDP and TCP) If the primary DNS is critical then keep it internal only and only expose a slave. also add at least one of-site slave. (You can get free ones at he.net and afraid.org) – NiKiZe Dec 17 '21 at 11:03
  • @NiKiZe thank you for a great suggestion about exposing slaves only! And regarding the point of fail2ban installation, I thought that maybe it will add some strength to the server by blocking suspicious IP addresses or something. – hancack Dec 17 '21 at 11:49
  • 1
    Define "suspicious" :-) There is little tools really tailored for DNS so it is often a bad idea to put things in front of a DNS server. There are 2 paths you can follow: look at bind RRL feature, which is rate limiting, and for really powerful needs look at `dnsdist` which sits in front on nameservers and allows fine control of traffic. – Patrick Mevzek Dec 17 '21 at 15:11
  • @PatrickMevzek I guess some client, trying to make an excessive amount of requests to the server, could fall under a category "suspicious", I don't know :) Currently project is just starting, so I guess it would be okay to leave bind as it is without any additional protection. Thanks for your reply, I will definitely take a look at tools you mentioned! – hancack Dec 17 '21 at 17:30
  • i basically created a new rule for the spam, you may tske a look at my github repository https://github.com/djdomi/fail2ban-rules – djdomi Dec 19 '21 at 18:05

0 Answers0