Replacing word of caution with big fat warning and commenting out named-refused-udp completely (Closes: #583364)

2010-06-28 21:45:47 -04:00 · 2010-06-28 21:45:47 -04:00 · 833f60a38a
parent d1b9e71173
commit 833f60a38a
1 changed files with 14 additions and 11 deletions
--- a/debian/jail.conf
+++ b/debian/jail.conf
@ -262,17 +262,20 @@ logpath  = /var/log/mail.log
 #
 # in your named.conf to provide proper logging

-# Word of Caution:
-# Given filter can lead to DoS attack against your DNS server
-# since there is no way to assure that UDP packets come from the
-# real source IP
-[named-refused-udp]
-
-enabled  = false
-port     = domain,953
-protocol = udp
-filter   = named-refused
-logpath  = /var/log/named/security.log
+# !!! WARNING !!!
+#   Since UDP is connectionless protocol, spoofing of IP and immitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#[named-refused-udp]
+#
+#enabled  = false
+#port     = domain,953
+#protocol = udp
+#filter   = named-refused
+#logpath  = /var/log/named/security.log

 [named-refused-tcp]