We are starting CHRISTMAS Sale. Get 30% OFF on lifetime licenses with code: FYSKK72

[Security Loophole] DNS Blocking Applies to UDP Only

Questions regarding the DNS Server
BIND
kareem
Posts: 3
Joined: Fri Sep 08, 2017 2:33 am

[Security Loophole] DNS Blocking Applies to UDP Only

Postby kareem » Sun Nov 19, 2017 12:07 am

Fail2ban-DNS chain in vesta blocks port 53 UDP only. Since domains can be resolved using TCP, any rules that fail2ban add will not really stop an attacker from continuously resolving over TCP.

This can be fixed by adding a second rule to the fail2ban chain in Vesta configuration to block 53 TCP as well.

Code: Select all

CHAIN='DNS' PORT='53' PROTOCOL='TCP'


This new chain rule should be added in /usr/local/vesta/data/firewall/chains.conf IN addition to the existing UDP rule.

Please include this in next update.

Return to “DNS Server”



Who is online

Users browsing this forum: No registered users and 3 guests