[Unbound-users] Unbound Logging
drivard at datavalet.com
Thu Feb 2 14:28:54 UTC 2012
Thank you, everyone for your I'll test the log queries today on my testing
environment if I can get fail2ban to work with this log I will keep you
inform. The reason I want to use fail2ban is to automate the process of
banning the ip without having to manually create iptable rules by hand and
then manage them each time I have to add one. If this doesn't work I'll test
the iptables based on time.
From: unbound-users-bounces at unbound.net
[mailto:unbound-users-bounces at unbound.net] On Behalf Of W.C.A. Wijngaards
Sent: Thursday, February 02, 2012 4:27 AM
To: unbound-users at unbound.net
Subject: Re: [Unbound-users] Unbound Logging
-----BEGIN PGP SIGNED MESSAGE-----
On 02/02/2012 09:53 AM, Oliver Peter wrote:
> On Wed, Feb 01, 2012 at 05:24:50PM -0600, Mark Felder wrote:
>> On 01.02.2012 10:49, Dominick Rivard wrote:
>>> I am using Unbound to serve a public DNS server and I am looking for
>>> a way to prevent bot or server degrading my service by requesting
>>> the same domain name like 10 times per seconds. I thought of using
>>> fail2ban but for that I need to get the ip of the requester
>>> somewhere in the log, so I tried analyzing the log and changed the
>>> verbosity of the logging with unbound-control, but still I don???t
>>> find anything yet that I could use for this purpose.
>> On BSD I'd say use a pf rule to block the IP for a time period if X
>> many concurrent states to port 53. Is something like that possible
>> with iptables on Linux?
> That would work on a general denial of service scenario (rate
> limiting) but the OP wanted to block the client after X connections to
> the same domain and with pf (and probably iptables) you cannot log the
> requested domainname; you will need some userlevel magic here.
if you set log-queries: yes then it logs: time, IP, name, type, class and
this you can maybe use as input to that userlevel script.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Unbound-users mailing list
Unbound-users at unbound.net
More information about the Unbound-users