Fwd: refuse ANY queries
Eric Luehrsen
ericluehrsen at hotmail.com
Fri Sep 1 12:59:57 UTC 2017
That is not off topic at all. You could use python plugins to facilitate this. The Unbound python plugin documentation/examples page has a blcklist DNS example. It could be modified to trigger blacklist entries on query metrics. You can blacklist requesters through Unbound access control settings. You can blacklist domain responses by creating empty static domains. It seems you can mix the two with the new "views" feature.
- Eric
-------- Original message --------
From: Aleš Rygl via Unbound-users <unbound-users at unbound.net>
Date: 9/1/17 06:51 (GMT-05:00)
To: unbound-users at unbound.net
Subject: Re: refuse ANY queries
Hi,
it is rather off-topic but it could help you: we use dnsdist DNS balancer to
fight with various types of attacks including excessive amount of ANY queries.
You can set up a rule counting queries per IP within a certain amount of time
and react then. We have Unbound backends. 50kqps is a piece of cake.
BR
Aleš
> BTW it is possible to play nasty tricks and reply with an 'actual' ANY:
>
> local-zone: "example.com." typetransparent
> local-data: "example.com. TYPE255 \# 1 00"
>
> I hope such answer will break the botnet we are fighting against!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170901/78222d0f/attachment.htm>
More information about the Unbound-users
mailing list