<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-CA link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am trying to find the cause of an issue we have been experiencing last Thursday. We are running multiple Unbound servers <o:p></o:p></p><p class=MsoNormal>In order to provide internet to our users. I would say we were under attack with a couple of IPs trying to request as many as possible records for “ANY? isc.org.”. The DNS were resolving until a certain period of time where it became just impossible to resolve anything. My first try was to restart the unbound service and it worked for a couple of second, then it failed again. Next step was to block these IPs with iptables, but still it wasn’t resolving, even after a second restart of the unbound service. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What resolved the issue was to route the trafic to a different NAT ip so the unbound servers were seen as a different public ip when going to internet. At that point I thought I could have been throttled or blacklisted by the roots servers. I wrote to them and they explain to me that they don’t have such a mean to limite the rate of queries or throttle any of our request. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So I am turning to you guys to ask some question what could be slowing me down or blocking me from my local unbound server to resolve any name? Is there any configuration I need to change? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>How would you prevent these kind of attack in the future?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Unbound version: 1.4.18<o:p></o:p></p><p class=MsoNormal>OS: Debian Squeeze 6.0.6<o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-CA'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-CA'>Best regards.<br><br><i>Dominick Rivard,</i><br><i><span style='color:#969696'>Solutions Architect</span></i><br><br><img width=213 height=36 id="Picture_x0020_1" src="cid:image001.jpg@01CE1FEF.CBF5A000" alt=image001><br><br>5275 Queen Mary <br>Montréal, Qc<br>H3W 1Y3<br>Tel: 514-385-4448 ext 126<br>Fax: 514-385-6660<br><br><b><i>Notice: </i></b><i>This message is confidential and privileged. If you are not the addressee, please inform the sender by return e-mail immediately and delete this message and destroy all copies.</i><br><br></span><b><i><span lang=FR-CA style='mso-fareast-language:EN-CA'>Avis :</span></i></b><i><span lang=FR-CA style='mso-fareast-language:EN-CA'> Ce message est confidentiel et protégé par le secret professionnel. Si vous n’êtes pas le destinataire, veuillez informer l’expéditeur par courrier électronique immédiatement et effacer ce message et en détruire toute copie.</span></i><span lang=FR-CA style='mso-fareast-language:EN-CA'> </span><span lang=FR-CA style='mso-fareast-language:EN-CA'><o:p></o:p></span></p><p class=MsoNormal><span lang=FR-CA><o:p> </o:p></span></p></div></body></html>