diff --git a/debian/jail.conf b/debian/jail.conf index ef4c7438..931db9af 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -262,17 +262,20 @@ logpath = /var/log/mail.log # # in your named.conf to provide proper logging -# Word of Caution: -# Given filter can lead to DoS attack against your DNS server -# since there is no way to assure that UDP packets come from the -# real source IP -[named-refused-udp] - -enabled = false -port = domain,953 -protocol = udp -filter = named-refused -logpath = /var/log/named/security.log +# !!! WARNING !!! +# Since UDP is connectionless protocol, spoofing of IP and immitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +#[named-refused-udp] +# +#enabled = false +#port = domain,953 +#protocol = udp +#filter = named-refused +#logpath = /var/log/named/security.log [named-refused-tcp]