Unbound-users Digest, Vol 63, Issue 9

sir izake sirizake at gmail.com
Tue Mar 25 09:36:54 UTC 2025 

Unfortunately, the changes didn't yield much results. The flood attack
happened again but at a different time.

Any more suggestions?

Regards,
izake

On Mon, Mar 24, 2025 at 12:18 PM sir izake <sirizake at gmail.com> wrote:

> thank you all
>
> "unbound-control get_option access-control" shows a list of IP blocks I
> have allowed/denied.
>
> I have also done the explicit deny  and recommended config hardening.
>
> I will monitor and see if the issue reoccurs.
>
> Thank you
> izake
>
>
>
>
> On Mon, Mar 24, 2025 at 10:48 AM <unbound-users-request at lists.nlnetlabs.nl>
> wrote:
>
>> Send Unbound-users mailing list submissions to
>>         unbound-users at lists.nlnetlabs.nl
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>> or, via email, send a message with subject or body 'help' to
>>         unbound-users-request at lists.nlnetlabs.nl
>>
>> You can reach the person managing the list at
>>         unbound-users-owner at lists.nlnetlabs.nl
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Unbound-users digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Unbound dns resolver involved in DNS Amplification attack
>>       (sir izake)
>>    2. Re: Unbound dns resolver involved in DNS Amplification attack
>>       (Yuri)
>>    3. Re: Unbound dns resolver involved in DNS Amplification attack
>>       (Cristiano Deana)
>>    4. Re: Unbound dns resolver involved in DNS Amplification attack
>>       (Yuri)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 24 Mar 2025 10:18:38 +0000
>> From: sir izake <sirizake at gmail.com>
>> To: unbound-users at lists.nlnetlabs.nl
>> Subject: Unbound dns resolver involved in DNS Amplification attack
>> Message-ID:
>>         <
>> CAACQ5hCU_6i_hqapFUaqwEZHeE_WD9MQDAUo4njJigH8CmZDeA at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi
>>
>> I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
>> server. It is configured to only respond to queries from the local host
>> and
>> my network IP block.
>>
>> Recently, I detected my server was involved in a DNS amplification attack.
>> By default unbound doesn't respond to any query outside those allowed in
>> the access list in the config file. How do I uncover the source IPs
>> involved and potentially block them.
>>
>> Are there other options I need to enable to prevent further amplification
>> attacks?
>>
>> I have checked the server and don't see any suspicious process running.
>>
>> Your support and advice is greatly appreciated.
>>
>> Regards
>> izake
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/a68a1439/attachment-0001.htm
>> >
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 24 Mar 2025 15:32:42 +0500
>> From: Yuri <yvoinov at gmail.com>
>> To: unbound-users at lists.nlnetlabs.nl
>> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
>> Message-ID: <c957df77-cc37-4d5a-9dc0-8f3e78f0cec0 at gmail.com>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>>
>> To begin, restrict access from outside using standard Unbound
>> configuration (example from one of my setups):
>>
>>  ??? access-control: 0.0.0.0/0 refuse
>>  ??? access-control: 127.0.0.0/8 allow_snoop
>>  ??? access-control: 192.168.0.0/16 allow_snoop
>>  ??? access-control: 172.16.0.0/12 allow_snoop
>>  ??? access-control: ::0/0 refuse
>>  ??? access-control: ::1 allow
>>  ??? access-control: ::ffff:127.0.0.1 allow
>>
>> Additionally, cut off external access with a server firewall and/or on
>> the border. And finally, check the internal network to see if it is
>> trooped.
>>
>> 24.03.2025 15:18, sir izake via Unbound-users ?????:
>> > Hi
>> >
>> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
>> > server. It is configured to only respond to queries from the local
>> > host and my network IP block.
>> >
>> > Recently, I detected my server was involved in a DNS amplification
>> > attack.? By default unbound doesn't respond to any query outside those
>> > allowed in the access list in the config file. How do I uncover the
>> > source IPs involved and potentially block them.
>> >
>> > Are there other options I need to enable to prevent further
>> > amplification attacks?
>> >
>> > I have checked the server and don't?see any suspicious process running.
>> >
>> > Your support and advice is greatly appreciated.
>> >
>> > Regards
>> > izake
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/45920e7f/attachment-0001.htm
>> >
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 24 Mar 2025 11:33:26 +0100
>> From: Cristiano Deana <cristiano.deana at megaweb.it>
>> To: unbound-users at lists.nlnetlabs.nl
>> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
>> Message-ID: <b25581c2-8068-440a-b590-f0e3ad612b90 at megaweb.it>
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>>
>> Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
>>
>> Hi,
>>
>> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
>> > server. It is configured to only respond to queries from the local host
>> > and my network IP block.
>>
>> what do you get with `unbound-control get_option access-control'?
>>
>> > Recently, I detected my server was involved in a DNS amplification
>> > attack.? By default unbound doesn't respond to any query outside those
>> > allowed in the access list in the config file. How do I uncover the
>> > source IPs involved and potentially block them.
>> >
>> > Are there other options I need to enable to prevent further
>> > amplification attacks?
>> >
>> > I have checked the server and don't?see any suspicious process running.
>> >
>> > Your support and advice is greatly appreciated.
>> >
>> > Regards
>> > izake
>>
>> --
>>
>> ###############################
>> # Cristiano Deana #
>> # #
>> # Senior Network Engineer #
>> # Digital Response Team #
>> # CittaStudi S.p.a. #
>> # off. +39 015 855 1172 #
>> # cell +39 328 310 6392 #
>> ###############################
>>
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Mon, 24 Mar 2025 15:48:03 +0500
>> From: Yuri <yvoinov at gmail.com>
>> To: unbound-users at lists.nlnetlabs.nl
>> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
>> Message-ID: <55c63a28-03e3-4bbf-9b58-80b5786c9e4b at gmail.com>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>>
>> Ah, I was inattentive. It seems to me that a consistent set of actions
>> is needed here, as in the case of an incident. Listening to traffic - in
>> order to catch illegitimate traffic and try to determine its source.
>> Scanning the external access point for open ports. Checking the firewall
>> and routing settings. And - yes, of course, it is worth starting with
>> checking the config and its hardening.
>>
>> 24.03.2025 15:33, Cristiano Deana via Unbound-users ?????:
>> > Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
>> >
>> > Hi,
>> >
>> >> I run an unbound dns cache resolver (version 1.22.0) on a freebsd
>> >> 14.2 server. It is configured to only respond to queries from the
>> >> local host and my network IP block.
>> >
>> > what do you get with `unbound-control get_option access-control'?
>> >
>> >> Recently, I detected my server was involved in a DNS amplification
>> >> attack.? By default unbound doesn't respond to any query outside
>> >> those allowed in the access list in the config file. How do I uncover
>> >> the source IPs involved and potentially block them.
>> >>
>> >> Are there other options I need to enable to prevent further
>> >> amplification attacks?
>> >>
>> >> I have checked the server and don't?see any suspicious process running.
>> >>
>> >> Your support and advice is greatly appreciated.
>> >>
>> >> Regards
>> >> izake
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/b2d8cd29/attachment.htm
>> >
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at lists.nlnetlabs.nl
>> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
>>
>> ------------------------------
>>
>> End of Unbound-users Digest, Vol 63, Issue 9
>> ********************************************
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250325/bdc2089a/attachment-0001.htm>

More information about the Unbound-users mailing list