Maintained by: NLnet Labs

[Unbound-users] Unbound Logging

Oliver Peter
Thu Feb 2 09:53:31 CET 2012


On Wed, Feb 01, 2012 at 05:24:50PM -0600, Mark Felder wrote:
> On 01.02.2012 10:49, Dominick Rivard wrote:
> >I am using Unbound to serve a public DNS server and I am looking
> >for a way
> >to prevent bot or server degrading my service by requesting the
> >same domain
> >name like 10 times per seconds. I thought of using fail2ban but
> >for that I
> >need to get the ip of the requester somewhere in the log, so I tried
> >analyzing the log and changed the verbosity of the logging with
> >unbound-control, but still I don???t find anything yet that I
> >could use for
> >this purpose.
> On BSD I'd say use a pf rule to block the IP for a time period if X
> many concurrent states to port 53. Is something like that possible
> with iptables on Linux?

That would work on a general denial of service scenario (rate limiting)
but the OP wanted to block the client after X connections to the same
domain and with pf (and probably iptables) you cannot log the requested
domainname; you will need some userlevel magic here.

-- 
Oliver PETER       oliver at opdns.de       0x456D688F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20120202/5e673036/attachment-0001.pgp>