Lately, I’ve been asked a lot about my domain name. during job interviews mostly.
\nAnd I can understand why it\u00a0might seems\u00a0shocking, at first sight.<\/p>\n
About 5 years ago, I was living with a roommate, which registered the domain unegrossebite.com.
\nIt was kind of funny, to have a custom PTR record.
\nA colleague of mine registered for whatabigdick.com.
\nWhen my\u00a0roommate left, I had to subscribe for my own ADSL, ended up registering my own domain as well. And went further, with unetresgrossebite.com.<\/p>\n
Over time, there’s one observation I could make: these kind of domains, are\u00a0most likely to be targeted, by botnets, people scanning your sites with no respect for your robots.txt, …<\/p>\n
A perfect example illustrating this would be my DNS services. In general, fail2ban is a good candidate mitigating attacks from the server side. Back to our topic: why unetresgrossebite.com? Lately, I’ve been asked a lot about my domain name. during job interviews mostly. And I can understand why it\u00a0might seems\u00a0shocking, at first sight. About 5 years ago, I was living with a roommate, which registered the domain unegrossebite.com. It was kind of funny, to have a custom PTR record. A colleague of mine registered […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,12],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/203"}],"collection":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=203"}],"version-history":[{"count":1,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/203\/revisions"}],"predecessor-version":[{"id":204,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/203\/revisions\/204"}],"wp:attachment":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nIt all started with a single dedicated server, hosted by Leaseweb, where I hosted several services. One of these being\u00a0bind.
\nIt was my first DNS server, I made a lot of mistakes such as allowing recursion or permissive ACLs. It went very bad, very quickly. I was receiving lots of ANY<\/em> requests, generating from 10 to 50Mb\/s targeted to a few IPs.
\nFixing bind configuration and adding hexstring-based rules to my firewall helped, though attacks kept going for months.
\nOver time, I subscribed for an other dedicated server with Illiad, and noticed both Illiad and Leaseweb provide with free zones caching services: having a server, you may define several domains of yours in their manager, and ask for\u00a0their replication.
\nBasically: using split-horizon, I am able to serve internal clients with my own DNS\u00a0servers, and to push a public view of my zones to Illiad and Leaseweb DNS servers. The public view is set so Illiad and Leaseweb are both authoritative name servers, serving my zones to unidentified clients. I configured a firewall on my public DNS servers to prevent unknown clients from\u00a0using them. Now,\u00a0Illiad and Leaseweb are both dealing with my attacks, I don’t have to bother identifying legitimate queries any more.
\nAnd it makes perfect sense. Even if one could want to host their own domains, protecting yourself from DNS amplification attacks requires reverse-path checking at least, Arbor, Tilera, … Hosting providers, with their own physical network, hardware and peering are most likely to block these attacks.<\/p>\n
\nAs long as your application generates log, you may parse them to identify and lock out suspicious clients.
\nHosting SSH servers, asterisk, unbound\/bind\u00a0or even\u00a0wordpress, you have a lot to gain from fail2ban filters.
\nLately, I’ve even used fail2ban to feed csf\/lfd, instead of setting iptables rules by itself.<\/p>\n
\nDespite obvious compensating remarks, dealing with these kind of domains is pretty informative.
\nI could sell out, and register for some respectable domain name. Though sticking to this one keeps me busy\u00a0andforces me to implement best practices.<\/p>\n","protected":false},"excerpt":{"rendered":"