Maintained by: NLnet Labs

[Unbound-users] Unbound as public DNSSEC resolver

Hauke Lampe
Wed Oct 13 14:41:00 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13.10.2010 13:28, lst_hoe02 at kwsoft.de wrote:

>> What is "best practice" to limit the resources used and to be a good
>> citizen when using unbound as public DNSSEC aware resolver, or is it
>> no recommended at all?
> 
> Still no answer for this one so i guess it is not recommended at all...

I guess the limits depend on what you think it takes to be a "good
citizen" and how many queries your resolvers usually receive.

I run a public Unbound resolver, mainly because my few mobile clients
call in from various networks and Unbound doesn't support TSIG.

I watch the resolver's munin graphs occasionally and set limits in the
munin configuration. Any larger spikes in query rate or network traffic
should trigger a warning by mail. The current threshold is set at about
10 times the average query rate (which is very low, anyway).

The usual amplification queries for ". NS" come in at <= 1 qps and are
hardly noticeable even on a lightly queried server. If you're concerned
about that and can live with denying priming queries to your clients,
you can drop those with an exact packet filter match.

Here's a u32 match expression for Linux netfilter:
> -A FORWARD -i eth0 -j DROP -p udp --dport 53 -m u32 --u32 "0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001"


HTH,
Hauke.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAky1qMsACgkQKIgAG9lfHFPx8ACeM3eNe9haq5UfcMkBHvYzsMK5
nvUAn0389BS72E5QXGBPTq9MPND/H2Zv
=diAL
-----END PGP SIGNATURE-----