question on ACL
Måns Nilsson
mansaxel at besserwisser.org
Wed Jun 11 06:18:09 UTC 2025
Hi,
Recently I've been having some issues with queries under load on
1.22 from FreeBSD pkg. We've seen some nasty DDOS attacks affecting
us and during these one of the side effects has been massive SERVFAILs
all over the board. We run an internal anycast system with a couple
dedicated forwarders to the rest of the name space.
I during trouble shooting of this discovered that I'd excluded
127.0.0.1 from the access-control: list. Once I changed this, purely
as a convenience to myself, I experienced a complete service
restoration without the massive SERVFAIL storms. I changed the value
using text editor on config file, and then reloaded the daemon using
unbound-control. So a few other things happened as well, of course.
Muddying the waters.
So, my question is:
Would not having 127.0.0.1 in the access-control: list make life
bad for the daemon in any way? Or was I just lucky that reloading
managed to clear the problem at the same time as the "external
influence" subsided. Tall order to answer, but I'm mostly after
some input as to whether this _could_ have the described effect.
Thanks in advance,
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE SA0XLR +46 705 989668
Everybody is going somewhere!! It's probably a garage sale or a
disaster Movie!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250611/dd2f0b05/attachment.bin>
More information about the Unbound-users
mailing list