question on ACL
Måns Nilsson
mansaxel at besserwisser.org
Thu Jun 12 06:29:16 UTC 2025
Subject: Re: question on ACL Date: Wed, Jun 11, 2025 at 11:48:41AM +0200 Quoting Yorgos Thessalonikefs via Unbound-users (unbound-users at lists.nlnetlabs.nl):
> Hi Måns,
>
> Not allowing 127.0.0.1 in the access-control forbids DNS queries from that
> localhost address to Unbound. The daemon itself does not rely on that
> address and you can forbid it if you don't want queries from that address.
Ok. It just was too good a coincidence to not follow up. :-)
> Now with me just assuming based on what you shared, I believe during the
> DDOS attack Unbound started caching resolution failures (for the queries
> themselves and the infrastructure cache).
> Reloading Unbound clears all that state.
Makes sense.
> For SERVFAILs of individual queries (Unbound could not resolve for reasons)
> these stay in the cache for 5 seconds and work as a back off mechanism.
>
> For the infrastructure failures (Unbound can not reach nameservers or
> timeouts start piling up) you have a couple of options:
<snip>
> Hope that helps.
It helps, and a lot. I'm grateful for the answer and the links.
Thanks!
/Måns
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE SA0XLR +46 705 989668
A can of ASPARAGUS, 73 pigeons, some LIVE ammo, and a FROZEN DAQUIRI!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250612/826225b3/attachment.bin>
More information about the Unbound-users
mailing list