Unbound-users Digest, Vol 63, Issue 9

T.Suzuki tss at reflection.co.jp
Wed Mar 26 01:10:39 UTC 2025 

You might want to refer to this?

https://closedresolver.korlabs.io/
https://mkorczynski.com/PAM2020Korczynski.pdf

The source IP address may be disguised as a permission range.

I call this kind of resolvers as "hidden open resolver".
https://www.e-ontap.com/misc/ieice2023oki/#(3) ... (Japanese)

On Tue, 25 Mar 2025 09:36:54 +0000
sir izake via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:

> Unfortunately, the changes didn't yield much results. The flood attack
> happened again but at a different time.
> 
> Any more suggestions?
> 
> Regards,
> izake
> 
> On Mon, Mar 24, 2025 at 12:18 PM sir izake <sirizake at gmail.com> wrote:
> 
> > thank you all
> >
> > "unbound-control get_option access-control" shows a list of IP blocks I
> > have allowed/denied.
> >
> > I have also done the explicit deny  and recommended config hardening.
> >
> > I will monitor and see if the issue reoccurs.
> >
> > Thank you
> > izake
> >
> >
> >
> >
> > On Mon, Mar 24, 2025 at 10:48 AM <unbound-users-request at lists.nlnetlabs.nl>
> > wrote:
> >
> >> Send Unbound-users mailing list submissions to
> >>         unbound-users at lists.nlnetlabs.nl
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >>         https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> >> or, via email, send a message with subject or body 'help' to
> >>         unbound-users-request at lists.nlnetlabs.nl
> >>
> >> You can reach the person managing the list at
> >>         unbound-users-owner at lists.nlnetlabs.nl
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of Unbound-users digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >>    1. Unbound dns resolver involved in DNS Amplification attack
> >>       (sir izake)
> >>    2. Re: Unbound dns resolver involved in DNS Amplification attack
> >>       (Yuri)
> >>    3. Re: Unbound dns resolver involved in DNS Amplification attack
> >>       (Cristiano Deana)
> >>    4. Re: Unbound dns resolver involved in DNS Amplification attack
> >>       (Yuri)
> >>
> >>
> >> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Mon, 24 Mar 2025 10:18:38 +0000
> >> From: sir izake <sirizake at gmail.com>
> >> To: unbound-users at lists.nlnetlabs.nl
> >> Subject: Unbound dns resolver involved in DNS Amplification attack
> >> Message-ID:
> >>         <
> >> CAACQ5hCU_6i_hqapFUaqwEZHeE_WD9MQDAUo4njJigH8CmZDeA at mail.gmail.com>
> >> Content-Type: text/plain; charset="utf-8"
> >>
> >> Hi
> >>
> >> I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
> >> server. It is configured to only respond to queries from the local host
> >> and
> >> my network IP block.
> >>
> >> Recently, I detected my server was involved in a DNS amplification attack.
> >> By default unbound doesn't respond to any query outside those allowed in
> >> the access list in the config file. How do I uncover the source IPs
> >> involved and potentially block them.
> >>
> >> Are there other options I need to enable to prevent further amplification
> >> attacks?
> >>
> >> I have checked the server and don't see any suspicious process running.
> >>
> >> Your support and advice is greatly appreciated.
> >>
> >> Regards
> >> izake
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL: <
> >> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/a68a1439/attachment-0001.htm
> >> >
> >>
> >> ------------------------------
> >>
> >> Message: 2
> >> Date: Mon, 24 Mar 2025 15:32:42 +0500
> >> From: Yuri <yvoinov at gmail.com>
> >> To: unbound-users at lists.nlnetlabs.nl
> >> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
> >> Message-ID: <c957df77-cc37-4d5a-9dc0-8f3e78f0cec0 at gmail.com>
> >> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> >>
> >> To begin, restrict access from outside using standard Unbound
> >> configuration (example from one of my setups):
> >>
> >>  ??? access-control: 0.0.0.0/0 refuse
> >>  ??? access-control: 127.0.0.0/8 allow_snoop
> >>  ??? access-control: 192.168.0.0/16 allow_snoop
> >>  ??? access-control: 172.16.0.0/12 allow_snoop
> >>  ??? access-control: ::0/0 refuse
> >>  ??? access-control: ::1 allow
> >>  ??? access-control: ::ffff:127.0.0.1 allow
> >>
> >> Additionally, cut off external access with a server firewall and/or on
> >> the border. And finally, check the internal network to see if it is
> >> trooped.
> >>
> >> 24.03.2025 15:18, sir izake via Unbound-users ?????:
> >> > Hi
> >> >
> >> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
> >> > server. It is configured to only respond to queries from the local
> >> > host and my network IP block.
> >> >
> >> > Recently, I detected my server was involved in a DNS amplification
> >> > attack.? By default unbound doesn't respond to any query outside those
> >> > allowed in the access list in the config file. How do I uncover the
> >> > source IPs involved and potentially block them.
> >> >
> >> > Are there other options I need to enable to prevent further
> >> > amplification attacks?
> >> >
> >> > I have checked the server and don't?see any suspicious process running.
> >> >
> >> > Your support and advice is greatly appreciated.
> >> >
> >> > Regards
> >> > izake
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL: <
> >> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/45920e7f/attachment-0001.htm
> >> >
> >>
> >> ------------------------------
> >>
> >> Message: 3
> >> Date: Mon, 24 Mar 2025 11:33:26 +0100
> >> From: Cristiano Deana <cristiano.deana at megaweb.it>
> >> To: unbound-users at lists.nlnetlabs.nl
> >> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
> >> Message-ID: <b25581c2-8068-440a-b590-f0e3ad612b90 at megaweb.it>
> >> Content-Type: text/plain; charset=UTF-8; format=flowed
> >>
> >> Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
> >>
> >> Hi,
> >>
> >> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
> >> > server. It is configured to only respond to queries from the local host
> >> > and my network IP block.
> >>
> >> what do you get with `unbound-control get_option access-control'?
> >>
> >> > Recently, I detected my server was involved in a DNS amplification
> >> > attack.? By default unbound doesn't respond to any query outside those
> >> > allowed in the access list in the config file. How do I uncover the
> >> > source IPs involved and potentially block them.
> >> >
> >> > Are there other options I need to enable to prevent further
> >> > amplification attacks?
> >> >
> >> > I have checked the server and don't?see any suspicious process running.
> >> >
> >> > Your support and advice is greatly appreciated.
> >> >
> >> > Regards
> >> > izake
> >>
> >> --
> >>
> >> ###############################
> >> # Cristiano Deana #
> >> # #
> >> # Senior Network Engineer #
> >> # Digital Response Team #
> >> # CittaStudi S.p.a. #
> >> # off. +39 015 855 1172 #
> >> # cell +39 328 310 6392 #
> >> ###############################
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 4
> >> Date: Mon, 24 Mar 2025 15:48:03 +0500
> >> From: Yuri <yvoinov at gmail.com>
> >> To: unbound-users at lists.nlnetlabs.nl
> >> Subject: Re: Unbound dns resolver involved in DNS Amplification attack
> >> Message-ID: <55c63a28-03e3-4bbf-9b58-80b5786c9e4b at gmail.com>
> >> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> >>
> >> Ah, I was inattentive. It seems to me that a consistent set of actions
> >> is needed here, as in the case of an incident. Listening to traffic - in
> >> order to catch illegitimate traffic and try to determine its source.
> >> Scanning the external access point for open ports. Checking the firewall
> >> and routing settings. And - yes, of course, it is worth starting with
> >> checking the config and its hardening.
> >>
> >> 24.03.2025 15:33, Cristiano Deana via Unbound-users ?????:
> >> > Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
> >> >
> >> > Hi,
> >> >
> >> >> I run an unbound dns cache resolver (version 1.22.0) on a freebsd
> >> >> 14.2 server. It is configured to only respond to queries from the
> >> >> local host and my network IP block.
> >> >
> >> > what do you get with `unbound-control get_option access-control'?
> >> >
> >> >> Recently, I detected my server was involved in a DNS amplification
> >> >> attack.? By default unbound doesn't respond to any query outside
> >> >> those allowed in the access list in the config file. How do I uncover
> >> >> the source IPs involved and potentially block them.
> >> >>
> >> >> Are there other options I need to enable to prevent further
> >> >> amplification attacks?
> >> >>
> >> >> I have checked the server and don't?see any suspicious process running.
> >> >>
> >> >> Your support and advice is greatly appreciated.
> >> >>
> >> >> Regards
> >> >> izake
> >> >
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL: <
> >> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/b2d8cd29/attachment.htm
> >> >
> >>
> >> ------------------------------
> >>
> >> Subject: Digest Footer
> >>
> >> _______________________________________________
> >> Unbound-users mailing list
> >> Unbound-users at lists.nlnetlabs.nl
> >> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> >>
> >>
> >> ------------------------------
> >>
> >> End of Unbound-users Digest, Vol 63, Issue 9
> >> ********************************************
> >>
> >


-- 
鈴木常彦 / (株) リフレクション

More information about the Unbound-users mailing list