[Samba] DNS amplification attacks
Marc Muehlfeld
samba at marc-muehlfeld.de
Tue Feb 25 12:02:18 MST 2014
Hello Bruno,
Am 25.02.2014 19:31, schrieb Bruno Vane:
> How can I configure samba4 to be protected against DNS amplification
> attacks? Is there a way to set the network I want it to be recursive,
> like in bind9?
Have you tried 'allow-recursion' in BIND? If this doesn't work, I guess
it's not supported (yet) in combination with the DLZ module.
> My samba4 is receiving attacks and googling I found this:
> http://dnsamplificationattacks.blogspot.com.br/2014/02/domain-gerdar3ru.html
But do you really want your DC listening on your internet NIC and
provide DNS and other Samba services to internet users?
If not, you can tell Samba to listen only on the other interfaces. See
https://wiki.samba.org/index.php/Samba_port_usage#Prevent_Samba_from_listening_on_all_interfaces
If your DNS should be accessable from the internet and you want to
manage the zones via AD, then I would recommend that you place an
additional machine with BIND in your DMZ, that is forwarding the
requests, you want to allow, to your DC.
Regards,
Marc
More information about the samba
mailing list