Unbound dns resolver involved in DNS Amplification attack
Yuri
yvoinov at gmail.com
Mon Mar 24 10:32:42 UTC 2025
To begin, restrict access from outside using standard Unbound
configuration (example from one of my setups):
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow_snoop
access-control: 192.168.0.0/16 allow_snoop
access-control: 172.16.0.0/12 allow_snoop
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
Additionally, cut off external access with a server firewall and/or on
the border. And finally, check the internal network to see if it is trooped.
24.03.2025 15:18, sir izake via Unbound-users пишет:
> Hi
>
> I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
> server. It is configured to only respond to queries from the local
> host and my network IP block.
>
> Recently, I detected my server was involved in a DNS amplification
> attack. By default unbound doesn't respond to any query outside those
> allowed in the access list in the config file. How do I uncover the
> source IPs involved and potentially block them.
>
> Are there other options I need to enable to prevent further
> amplification attacks?
>
> I have checked the server and don't see any suspicious process running.
>
> Your support and advice is greatly appreciated.
>
> Regards
> izake
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/45920e7f/attachment.htm>
More information about the Unbound-users
mailing list