dns tunnels a threat?
David Bird
mem.corruption at gmail.com
Fri Sep 7 11:50:54 UTC 2007
On 9/7/07, nextime at nexlab.it <nextime at nexlab.it> wrote:
>
> SOA and MX shuld be dropped imho.
> Maybe AAAA shuld be added for future improvements with ipv6.
yeah, i think so too...
> is "dnsparanoid" filtering applied only to unauth users?
Oops, actually I named it dnsparanoia -- yes, only for unauth'ed clients.
Maybe this is too many restrictive, i think that a rate limiting for
> something like 4 A/CNAME request, with maybe also not more than
> 100/minute or not more than 10 for the same second level domain every
> minute shuld work.
The rate limiting is pretty easy to do with iptables for all users. This
kind of stuff is well suited for the ip-up/down and connection-up/down
scripts.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070907/244699e1/attachment.htm>
More information about the Chilli
mailing list