-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Kaito, It counts replies that come in open ports, purported from authority servers, that are 'not wanted' (wrong ID, wrong source address). Perhaps port randomisation is foiling this? It only counts when the metasploit hits an open port; if you do one query, only one port is open. You can get unbound to open more ports by setting outgoing-range: 950 and by replaying a trace with a lot of different queries to resolve. Do defeat port randomisation in unbound (Warning to other people: do not put this in your production resolver; its bad): # note these lines take effect in order first to last. outgoing-port-avoid: "0-65535" outgoing-port-permit: 12345 makes it use just one port. (if you have multiple threads, give it a couple more ports; it needs at least one per thread). Then, metasploit should have no trouble hitting the unwanted reply counter. And also poisoning the cache (unless you are using DNSSEC). Best regards, Wouter kaito wrote: > Hello, everyone, > > This is kaito. Now, I test unbound 1.2.1 on Ubuntu 8.04 Server. > There is a question about "unwanted-reply-threshold" parameter. > What replies are count by this parameter? > > Using metasploit framework 3.3-dev to do kaminsky attack, > unbound did not count unwanted-replies... > > Sincerely, > kaito > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm/W58ACgkQkDLqNwOhpPgBDgCcD+3qK01VK5cAcsmAXO15RxI0 /aUAoLIsb9/n/6U5hrPtv2TmceChhr0r =OI9w -----END PGP SIGNATURE-----