Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Is advisable block based on tcpdump Refused output?


    the DNS server can log denied DNS queries and i can use fail2ban or configserver firewall to ban IPs with excessive denied log entries, but my CentOS 6 log file (/var/log/messages) is 2GB for last around 72 hours thanks to denied queries. It is not attack. So i thought if i can disable logging of these DNS denied queries and instead monitor tcpdump output for refused queries and ban IPs with too many refused. What do you think? Is that actually possible and wise?

    tcpdump -nn -vv net myserverip and port 53|grep Refused
    myserverip.53 > someip1.18870: [udp sum ok] 39049 Refused- q: A? 0/0/1 ar: . OPT UDPsize=4096 OK (41)
    myserverip.53 > someip2.28663: [udp sum ok] 52357 Refused- q: A? 0/0/1 ar: . OPT UDPsize=4096 OK (40)
    Is there any already made solution that filter tcpdump output for blocking?

  2. #2
    Hi postcd,

    I haven't heard of kinda solution nor the existence of DNS gateway. In case of high trafic service, it is recommanded to scale up the DNS service over many servers and put a load balancer in front of them.

    You can program a simple daemon to read the denied request's logs and make iptables requests based on the extracted IP addresses.

    Hope it help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts