Unbound dns resolver involved in DNS Amplification attack
Yuri
yvoinov at gmail.com
Mon Mar 24 10:48:03 UTC 2025
Ah, I was inattentive. It seems to me that a consistent set of actions
is needed here, as in the case of an incident. Listening to traffic - in
order to catch illegitimate traffic and try to determine its source.
Scanning the external access point for open ports. Checking the firewall
and routing settings. And - yes, of course, it is worth starting with
checking the config and its hardening.
24.03.2025 15:33, Cristiano Deana via Unbound-users пишет:
> Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
>
> Hi,
>
>> I run an unbound dns cache resolver (version 1.22.0) on a freebsd
>> 14.2 server. It is configured to only respond to queries from the
>> local host and my network IP block.
>
> what do you get with `unbound-control get_option access-control'?
>
>> Recently, I detected my server was involved in a DNS amplification
>> attack. By default unbound doesn't respond to any query outside
>> those allowed in the access list in the config file. How do I uncover
>> the source IPs involved and potentially block them.
>>
>> Are there other options I need to enable to prevent further
>> amplification attacks?
>>
>> I have checked the server and don't see any suspicious process running.
>>
>> Your support and advice is greatly appreciated.
>>
>> Regards
>> izake
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/b2d8cd29/attachment-0001.htm>
More information about the Unbound-users
mailing list