--- fail2ban-0.8.4.orig/config/jail.conf
+++ fail2ban-0.8.4/config/jail.conf
@@ -211,14 +211,22 @@
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
-[named-refused-udp]
-
-enabled = false
-filter = named-refused
-action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
- sendmail-whois[name=Named, dest=you@mail.com]
-logpath = /var/log/named/security.log
-ignoreip = 168.192.0.1
+# !!! WARNING !!!
+# Since UDP is connectionless protocol, spoofing of IP and immitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#
+# [named-refused-udp]
+#
+# enabled = false
+# filter = named-refused
+# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+# sendmail-whois[name=Named, dest=you@mail.com]
+# logpath = /var/log/named/security.log
+# ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)