Pessoal,
Alguém sabe algo sobre isso (abaixo):
# Fixing Open DNS Servers
# An open DNS server is a DNS server that responds to recursive
queries
# (queries for domains that the DNS server is not authoritative
for, such as
# websites that you go to, or domains that you send mail to,
rather than your own domain),
# and does so for anyone (rather than just clients on your local
network).
# When DNS servers and mailservers were originally put into use,
they were all open.
# That's just how the Internet was way back when. Over the
years, spammers started relaying through
# open relays, so the best practice became not to run open relay
mailservers. For quite a
# few years now, best practice has been not to have a DNS server
be both authoritative and
# caching (doing recursive lookups). But most DNS servers are
still open.
#
# The problem is that there are now DDoS attacks (attacks that
send lots of data to a computer,
# so that it becomes overloaded) that use open DNS servers,
using amplification (sending small
# packets to a computer that then sends large packets to the
victim, making it possible to send
# more data to the victim). Specifically, a UDP DNS packet is
sent with a forged source IP address
# (the one of the victim), and a query is made in a small packet
(about 75 bytes) for a domain that
# has a very large response packet (using EDNS0, it can be 4,000
or more bytes). The response
# packet then goes to the victim. The victim gets about 50 times
as much data as the attacker
# is sending out. So with a dialup connection, they could
saturate a T1 line.
#
# NOTE: These instructions show you how to completely disable
recursion. This is the best practice.
# However, if you need to run a DNS server that is both
authoritative and recursive/caching, you
# will need to check the DNS server documentation to find out
how to enable recursive lookups only
# for your local network. It seems that there is no way to do
this with Microsoft DNS; if so, you
# will need to use other DNS server software or use a hosted DNS
service. If anyone is aware of a way
# to get Microsoft DNS to allow recursion only to specific IP
ranges, please let us know -- lots of
# people would like to do that.
#
# Fixing BIND
# Open named.conf with a text editor
# Use a line "recursion no;" in the "options" clause (or in the
"view" clause)
# If you need to enable recursion for your local network, you
can use a
# "allow-recursion { ADD_LIST_OF_YOUR_IP_RANGES_HERE; }" line in
the "options" section.
# [Use caution; BIND files are easy to break]
# For complete hardening, see
http://www.cymru.com/Documents/secure-bind-template.html.
---------------------------------------------------------------------
Esta lista eh moderada de acordo com o previsto em
http://www.listas-discussao.cjb.net
---------------------------------------------------------------------
Antes de perguntar, consulte o historico da lista ou acesse:
Guia Foca GNU/Linux: http://focalinux.cipsga.org.br/
---------------------------------------------------------------------
Como Fazer Perguntas Inteligentes:
http://www.istf.com.br/?page=perguntas
---------------------------------------------------------------------
Visite nossa comunidade no Orkut:
http://www.orkut.com/Community.aspx?cmm=759644
---------------------------------------------------------------------
Divulgue nosso grupo:
http://groups.yahoo.com/group/suse-linux-br/
---------------------------------------------------------------------
Cancelar assinatura.: suse-linux-br-unsubscribe@xxxxxxxxxxxxxxx
---------------------------------------------------------------------
Servidor Newsgroup da lista: news.gmane.org
Grupo: gmane.org.user-groups.linux.brazil.suse-linux
---------------------------------------------------------------------
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/suse-linux-br/
<*> To unsubscribe from this group, send an email to:
suse-linux-br-unsubscribe@xxxxxxxxxxxxxxx
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
|
