Fail2ban 阻擋 DNS 的 DDOS

1. 修改 named.conf 設定檔，限制僅允許本地端IP範圍可以做 recursion 查詢外部的網域，只 Cache 本地端IP範圍所做的查詢。

   [root@dns ~]# vim /etc/named.conf
   [root@dns ~]# grep local_subnet /etc/named.conf
   acl "local_subnet"{ 163.17.0.0/16; 120.110.0.0/16; };
   	allow-query-cache { local_subnet; };
   	allow-recursion { local_subnet; };
   

2. 重新啟動 named 服務。

   [root@dns ~]# /etc/init.d/named restart
   

3. 安裝 fail2ban

   [root@dns ~]# yum install fail2ban
   

4. fail2ban 預設就有阻擋 DNS 的 DDOS 攻擊的 pattern，修改後啟動 fail2ban 服務，並設定開機啟動。

   [root@dns ~]# vim /etc/fail2ban/jail.conf 
   [root@dns ~]# /etc/init.d/fail2ban start
   [root@dns ~]# chkconfig fail2ban on
   

5. fail2ban-client 增加 nsd, named-refuesd, named-refuesd-udp 三個 pattern，並查看狀態。

   [root@dns ~]# fail2ban-client add nsd
   Added jail nsd
   [root@dns ~]# fail2ban-client status nsd
   Status for the jail: nsd
   |- Filter
   |  |- Currently failed:	0
   |  |- Total failed:	0
   |  `- File list:	
   `- Actions
      |- Currently banned:	0
      |- Total banned:	0
      `- Banned IP list:	
   [root@dns ~]# fail2ban-client add named-refused
   Added jail named-refused
   [root@dns ~]# fail2ban-client status named-refused
   Status for the jail: named-refused
   |- Filter
   |  |- Currently failed:	0
   |  |- Total failed:	0
   |  `- File list:	
   `- Actions
      |- Currently banned:	0
      |- Total banned:	0
      `- Banned IP list:	
   [root@dns ~]# fail2ban-client add named-refused-udp
   Added jail named-refused-udp
   [root@dns ~]# fail2ban-client status named-refused-udp
   Status for the jail: named-refused-udp
   |- Filter
   |  |- Currently failed:	0
   |  |- Total failed:	0
   |  `- File list:	
   `- Actions
      |- Currently banned:	0
      |- Total banned:	0
      `- Banned IP list: