Admin Web page

[shalafi99]

Hello @ShreyasZare,

By any chance, does your "to-do" list contain the inclusion of any additional security countermeasures for the Admin Web Interface?
Such as a configurable 'lockout time period' feature for accounts as to deter brute-force attempts.

I understand accounts' usernames are not expected to be sniffed (provided HTTPS is being used to access the web interface) and even though the default setup considers a fixed initial account name, that is easy to remediate (change to a new account name post-setup).

Because of all that, I wondered how much real/practical benefit such a lockout feature would bring to the userbase but wanted to ask nevertheless.
(Decided to log this under the "Ideas" section instead on account of such)

Kudos on your DNS Server software.

Regards

[ShreyasZare]

Thanks for asking. The feature already exists. If there are 5 failed attempts to login, the user's IP address is blocked for 5 minutes to prevent bruteforce attack.

[shalafi99]

Got it, thanks for indicating there is such a measure already in place.

I understand that locking out just the offending IP is a good measure against a denial of service on the account itself (you cannot get locked out yourself), but if the lockout is based on the source IP that still allows for some level of brute forcing to take place when many many different IP addresses are used together by a malicious actor, right?
I suppose using IPv6 makes this easier to accomplish too.

I have an automation routine using the DNS API and recently I had to make sure I could connect to the API interface using IPv6 (allow it in the firewall sitting in front of the DNS Server), because my source system was giving a preference of IPv6 over IPv4 (kind of the norm nowadays for devices which operate using both stacks, I suppose, unless you tweak it to force IPv4) to initiate the connection to the DNS Server API (which also is a IPv6 capable server).
As a mitigation, I will adjust the FQDN used with the automation so it resolves only to an A record, no AAAA :-)

[ShreyasZare]

Thanks for pointing that out. For some reason this is missing in the implementation. Will update it to block the user's subnet instead in the next release.