Fail2ban Named query flood

Create named-flood.conf in the filter.d folder (etc/fail2ban/filter.d)

[Definition]
failregex = .* client \#.*: query: .* \+E
ignoreregex =

Enable the Named query flood with the following statement in your jail.local file (etc/fail2ban/jail.local)


[named-flood-udp]
enabled = true
port = 53
protocol = udp
filter = named-flood
logpath = /var/log/named/bind9.log
maxretry = 200
bantime = 3600
ignoreip = 1.2.3.4

[named-flood-tcp]
enabled = true
port = 53
protocol = tcp
filter = named-flood
logpath = /var/log/named/bind9.log
maxretry = 200
bantime = 3600
ignoreip = 1.2.3.4