Unbound-users Digest, Vol 63, Issue 9

sir izake sirizake at gmail.com
Mon Mar 24 12:18:27 UTC 2025 

thank you all

"unbound-control get_option access-control" shows a list of IP blocks I
have allowed/denied.

I have also done the explicit deny  and recommended config hardening.

I will monitor and see if the issue reoccurs.

Thank you
izake




On Mon, Mar 24, 2025 at 10:48 AM <unbound-users-request at lists.nlnetlabs.nl>
wrote:

> Send Unbound-users mailing list submissions to
>         unbound-users at lists.nlnetlabs.nl
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> or, via email, send a message with subject or body 'help' to
>         unbound-users-request at lists.nlnetlabs.nl
>
> You can reach the person managing the list at
>         unbound-users-owner at lists.nlnetlabs.nl
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Unbound-users digest..."
>
>
> Today's Topics:
>
>    1. Unbound dns resolver involved in DNS Amplification attack
>       (sir izake)
>    2. Re: Unbound dns resolver involved in DNS Amplification attack
>       (Yuri)
>    3. Re: Unbound dns resolver involved in DNS Amplification attack
>       (Cristiano Deana)
>    4. Re: Unbound dns resolver involved in DNS Amplification attack
>       (Yuri)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 24 Mar 2025 10:18:38 +0000
> From: sir izake <sirizake at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Unbound dns resolver involved in DNS Amplification attack
> Message-ID:
>         <
> CAACQ5hCU_6i_hqapFUaqwEZHeE_WD9MQDAUo4njJigH8CmZDeA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
> I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
> server. It is configured to only respond to queries from the local host and
> my network IP block.
>
> Recently, I detected my server was involved in a DNS amplification attack.
> By default unbound doesn't respond to any query outside those allowed in
> the access list in the config file. How do I uncover the source IPs
> involved and potentially block them.
>
> Are there other options I need to enable to prevent further amplification
> attacks?
>
> I have checked the server and don't see any suspicious process running.
>
> Your support and advice is greatly appreciated.
>
> Regards
> izake
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/a68a1439/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 24 Mar 2025 15:32:42 +0500
> From: Yuri <yvoinov at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
> Message-ID: <c957df77-cc37-4d5a-9dc0-8f3e78f0cec0 at gmail.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> To begin, restrict access from outside using standard Unbound
> configuration (example from one of my setups):
>
>  ??? access-control: 0.0.0.0/0 refuse
>  ??? access-control: 127.0.0.0/8 allow_snoop
>  ??? access-control: 192.168.0.0/16 allow_snoop
>  ??? access-control: 172.16.0.0/12 allow_snoop
>  ??? access-control: ::0/0 refuse
>  ??? access-control: ::1 allow
>  ??? access-control: ::ffff:127.0.0.1 allow
>
> Additionally, cut off external access with a server firewall and/or on
> the border. And finally, check the internal network to see if it is
> trooped.
>
> 24.03.2025 15:18, sir izake via Unbound-users ?????:
> > Hi
> >
> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
> > server. It is configured to only respond to queries from the local
> > host and my network IP block.
> >
> > Recently, I detected my server was involved in a DNS amplification
> > attack.? By default unbound doesn't respond to any query outside those
> > allowed in the access list in the config file. How do I uncover the
> > source IPs involved and potentially block them.
> >
> > Are there other options I need to enable to prevent further
> > amplification attacks?
> >
> > I have checked the server and don't?see any suspicious process running.
> >
> > Your support and advice is greatly appreciated.
> >
> > Regards
> > izake
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/45920e7f/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 3
> Date: Mon, 24 Mar 2025 11:33:26 +0100
> From: Cristiano Deana <cristiano.deana at megaweb.it>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
> Message-ID: <b25581c2-8068-440a-b590-f0e3ad612b90 at megaweb.it>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
>
> Hi,
>
> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
> > server. It is configured to only respond to queries from the local host
> > and my network IP block.
>
> what do you get with `unbound-control get_option access-control'?
>
> > Recently, I detected my server was involved in a DNS amplification
> > attack.? By default unbound doesn't respond to any query outside those
> > allowed in the access list in the config file. How do I uncover the
> > source IPs involved and potentially block them.
> >
> > Are there other options I need to enable to prevent further
> > amplification attacks?
> >
> > I have checked the server and don't?see any suspicious process running.
> >
> > Your support and advice is greatly appreciated.
> >
> > Regards
> > izake
>
> --
>
> ###############################
> # Cristiano Deana #
> # #
> # Senior Network Engineer #
> # Digital Response Team #
> # CittaStudi S.p.a. #
> # off. +39 015 855 1172 #
> # cell +39 328 310 6392 #
> ###############################
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 24 Mar 2025 15:48:03 +0500
> From: Yuri <yvoinov at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
> Message-ID: <55c63a28-03e3-4bbf-9b58-80b5786c9e4b at gmail.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Ah, I was inattentive. It seems to me that a consistent set of actions
> is needed here, as in the case of an incident. Listening to traffic - in
> order to catch illegitimate traffic and try to determine its source.
> Scanning the external access point for open ports. Checking the firewall
> and routing settings. And - yes, of course, it is worth starting with
> checking the config and its hardening.
>
> 24.03.2025 15:33, Cristiano Deana via Unbound-users ?????:
> > Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
> >
> > Hi,
> >
> >> I run an unbound dns cache resolver (version 1.22.0) on a freebsd
> >> 14.2 server. It is configured to only respond to queries from the
> >> local host and my network IP block.
> >
> > what do you get with `unbound-control get_option access-control'?
> >
> >> Recently, I detected my server was involved in a DNS amplification
> >> attack.? By default unbound doesn't respond to any query outside
> >> those allowed in the access list in the config file. How do I uncover
> >> the source IPs involved and potentially block them.
> >>
> >> Are there other options I need to enable to prevent further
> >> amplification attacks?
> >>
> >> I have checked the server and don't?see any suspicious process running.
> >>
> >> Your support and advice is greatly appreciated.
> >>
> >> Regards
> >> izake
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/b2d8cd29/attachment.htm
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
> ------------------------------
>
> End of Unbound-users Digest, Vol 63, Issue 9
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/f8357d57/attachment.htm>

More information about the Unbound-users mailing list