Configuring Fail2Ban for Bind9

Suppose Fail2Ban is already installed, if not, then see my article – Installing and Configuring Fail2ban.

By default, Bind9 does not write logs, so open its configuration file in any text editor:

sudo nano /etc/bind/named.conf

And add:

logging {
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 30m;
        severity dynamic;
        print-time yes;
    category security {

Create a directory and assign rights:

sudo mkdir /var/log/named/
sudo chown bind:bind /var/log/named/

Restart Bind9 to apply the changes:

sudo /etc/init.d/bind9 restart

Or apply without restarting:

sudo rndc reconfig

Make sure that the file /var/log/named/security.log was created.

Now open the configuration file Fail2Ban:

sudo nano /etc/fail2ban/jail.conf

We find the following filter parameters for TCP connections:

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Change “false” to “true”.

Also in the configuration should be the following parameters for UDP connections:

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

It is better not to use them and activate them in extreme cases, since in a UDP message you can specify any source IP address that attackers can use by specifying your IP addresses, after which Fail2Ban will block them.

In Fail2Ban there is an option “ignoreip” which prohibits blocking of the specified addresses, I recommend to use it, for example:

ignoreip =

Let’s check:

sudo fail2ban-client status
sudo iptables-save | grep fail2ban

In the file /var/log/fail2ban.log you can see what the Fail2Ban is blocking.

See also my article:
Installing and Configuring DNS Server BIND9

Join the Conversation

1 Comment

Leave a Reply

  1. A really useful guide! I’d also recommend people do not directly modify .conf files – copy them to the same folder with a .local extension, and work off those. (.conf files may be overwritten without warning at an upgrade or reinstallation.) .local equivalents are always parsed and take priority over the default .conf files.