[Unbound-users] Unbound DDoS / reflexion attack counter-measure ?
Tom
tom at then.fr
Fri May 30 23:32:03 UTC 2014
Hi,
> If your server does not need to be open to the world, you could restrict
> queries to the subnets you control by adding "access-control:
> <subnet>/<mask> allow".
I do have access-control lines but because I had so many I removed them
for clarity but I forgot to keep a few. As an ISP, we have customers
that have obviously malware running on their networks/hosts we cannot
control.
So my config actually looks like this :
server:
verbosity: 1
interface-automatic: yes
outgoing-range: 950
outgoing-num-tcp: 50
incoming-num-tcp: 50
so-rcvbuf: 4m
msg-cache-size: 50m
jostle-timeout: 1000
rrset-cache-size: 100m
root-hints: "named.cache"
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
access-control: 2407:6800:xx:xx::/64 allow
access-control: 192.168.0.0/16 allow
access-control: 123.xxx.xxx.xxx/17 allow
[..]
hide-identity: yes
hide-version: yes
prefetch: yes
prefetch-key: yes
auto-trust-anchor-file: "root.key"
python:
remote-control:
control-enable: yes
Sorry for the oversight.
Thomas
More information about the Unbound-users
mailing list