Is it worth it to install and configure fail2ban for an Bind9 authoritative DNS server?

hancack

4/17/23, 10:34 AM

In our project infrastructure we have a nameserver, based on bind9. This nameserver is configured as primary and authoritative, so it is quite important. The question is, should I install and configure fail2ban for the purpose of protecting this DNS server? Is it worth it? I tried searching fail2ban configurations for Bind9/named, but there are only a few, and it seems like it is not something that people do (at least post) much.

If it makes any difference, Bind9 is running in a docker container with exposed 53/udp port.

120

0 + 0

domain-name-system

linux

bind

hardening

fail2ban

NiKiZe

4/17/23, 11:03 AM

What would the point be if it is a public service? (also UDP can be spoofed, but remember that DNS uses both UDP and TCP) If the primary DNS is critical then keep it internal only and only expose a slave. also add at least one of-site slave. (You can get free ones at he.net and afraid.org)

hancack

4/17/23, 11:49 AM

@NiKiZe thank you for a great suggestion about exposing slaves only! And regarding the point of fail2ban installation, I thought that maybe it will add some strength to the server by blocking suspicious IP addresses or something.

Patrick Mevzek

4/17/23, 3:11 PM

Define "suspicious" :-) There is little tools really tailored for DNS so it is often a bad idea to put things in front of a DNS server. There are 2 paths you can follow: look at bind RRL feature, which is rate limiting, and for really powerful needs look at `dnsdist` which sits in front on nameservers and allows fine control of traffic.

hancack

4/17/23, 5:30 PM

@PatrickMevzek I guess some client, trying to make an excessive amount of requests to the server, could fall under a category "suspicious", I don't know :) Currently project is just starting, so I guess it would be okay to leave bind as it is without any additional protection. Thanks for your reply, I will definitely take a look at tools you mentioned!

djdomi

4/19/23, 6:05 PM

i basically created a new rule for the spam, you may tske a look at my github repository https://github.com/djdomi/fail2ban-rules

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it worth it to install and configure fail2ban for an Bind9 authoritative DNS server?

TH: การติดตั้งและกำหนดค่า Failed2ban สำหรับเซิร์ฟเวอร์ DNS ที่เชื่อถือได้ของ Bind9 นั้นคุ้มค่าหรือไม่

RO: Merită să instalați și să configurați fail2ban pentru un server DNS autorizat Bind9?

RU: Стоит ли устанавливать и настраивать fail2ban для авторитетного DNS-сервера Bind9?

VI: Có đáng để cài đặt và định cấu hình fail2ban cho máy chủ DNS có thẩm quyền Bind9 không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.