iptables connlimit for DNS? - Security

This is a discussion on iptables connlimit for DNS? - Security ; Is doing this overkill? /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 53 -m connlimit ! --connlimit-above 10 -j ACCEPT Is there no good reason to want to set a maximum number of simultaneous connections to port 53? to stop ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: iptables connlimit for DNS?

  1. iptables connlimit for DNS?

    Is doing this overkill?

    /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 53 -m connlimit !
    --connlimit-above 10 -j ACCEPT

    Is there no good reason to want to set a maximum number of simultaneous
    connections to port 53? to stop flooding. How long does a single
    lookup take? does a lookup actually close the connection/port after its
    done? I don't know how traffic on port 53 happens like I do on other ports.

    thanks.
    kenw232@yahoo.com

  2. Re: iptables connlimit for DNS?

    Ken Williams (06-11-04 19:28:19):

    > Is doing this overkill?
    >
    > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 53 -m connlimit !
    > --connlimit-above 10 -j ACCEPT
    >
    > Is there no good reason to want to set a maximum number of
    > simultaneous connections to port 53? to stop flooding. How long does
    > a single lookup take? does a lookup actually close the
    > connection/port after its done? I don't know how traffic on port 53
    > happens like I do on other ports.


    Actually it won't change anything, since DNS lookups are done via UDP.
    Further, if you install a DNS cache and activate its anti-flood
    mechanisms, then there won't be a need for special Netfilter treatment
    anymore.


    Regards,
    E.S.

+ Reply to Thread