0

How do you do this with Windows firewall?

iptables -I INPUT --in-interface ! lo -p udp --dport 53 -j DROP

Ideally, if you can do this with netsh and so that it will survive whatever it is that Microsoft does with "Add Role".

(Most of the net programming advice for netsh advfirewall seems to be about punching holes in the default configuration, not about securing stuff with it)

Chris S
  • 77,945
  • 11
  • 124
  • 216
Des Cent
  • 41
  • 2
  • 2
    Your statement "which they later set up Exchange on, which comes with a promiscuous DNS server, and joins the global DNS DDOS amplification network" is incorrect and is inflammatory hyperbole. Exchange Server doesn't come with a DNS server and there's no evidence that Microsoft's implementation of DNS would "automatically" become part of a DNS based DDOS attack. Furthermore, if you implement Microsoft's DNS server and it becomes part of a DNS based DDOS attack then you're doing it wrong. – joeqwerty Apr 04 '13 at 15:00
  • I'm not sure in what use case you would configure this firewall rule. If it is a DNS server, then you need to let in DNS queries. If it isn't then it doesn't matter if DNS queries are allowed to hit it since it wouldn't respond anyway... – August Apr 04 '13 at 18:25
  • August, the use case here is that the DNS server is useless -it is automatically configured by a few clicks, presumably so Active Directory can do DNS for the stuff it controls for the domain which ties into the mail server. For a single server, the proper use of the DNS server is only internal. However, because the software insists on answering outside queries, it provides massive default scope for illegitimate queries coming from ISP's who allow their clients to spoof IP's and DDOS Bank of America and Spamhaus, while someone gets a hefty bill for excess traffic .. unless it's firewalled. – Des Cent Apr 17 '13 at 16:45

0 Answers0