[Samba] DNS amplification attacks
Bruno Vane
broonu at gmail.com
Tue Feb 25 12:35:14 MST 2014
Thank you Marc,
I will change samba config to listen only in internal interface.
2014-02-25 16:02 GMT-03:00 Marc Muehlfeld <samba at marc-muehlfeld.de>:
> Hello Bruno,
>
> Am 25.02.2014 19:31, schrieb Bruno Vane:
>
>> How can I configure samba4 to be protected against DNS amplification
>> attacks? Is there a way to set the network I want it to be recursive,
>> like in bind9?
>
>
> Have you tried 'allow-recursion' in BIND? If this doesn't work, I guess it's
> not supported (yet) in combination with the DLZ module.
>
>
>
>
>> My samba4 is receiving attacks and googling I found this:
>>
>> http://dnsamplificationattacks.blogspot.com.br/2014/02/domain-gerdar3ru.html
>
>
> But do you really want your DC listening on your internet NIC and provide
> DNS and other Samba services to internet users?
>
> If not, you can tell Samba to listen only on the other interfaces. See
> https://wiki.samba.org/index.php/Samba_port_usage#Prevent_Samba_from_listening_on_all_interfaces
>
>
> If your DNS should be accessable from the internet and you want to manage
> the zones via AD, then I would recommend that you place an additional
> machine with BIND in your DMZ, that is forwarding the requests, you want to
> allow, to your DC.
>
>
> Regards,
> Marc
--
---------------------------------------
Bruno Vane
S.O. do Brasil Telecomunicações
+55 24 99306-8618 | +55 24 3345-0002
www.zamix.com.br | www.superonda.com.br
More information about the samba
mailing list