Maintained by: NLnet Labs

[Unbound-users] Unbound Logging

W.C.A. Wijngaards
Thu Feb 2 10:26:54 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2012 09:53 AM, Oliver Peter wrote:
> On Wed, Feb 01, 2012 at 05:24:50PM -0600, Mark Felder wrote:
>> On 01.02.2012 10:49, Dominick Rivard wrote:
>>> I am using Unbound to serve a public DNS server and I am
>>> looking for a way to prevent bot or server degrading my service
>>> by requesting the same domain name like 10 times per seconds. I
>>> thought of using fail2ban but for that I need to get the ip of
>>> the requester somewhere in the log, so I tried analyzing the
>>> log and changed the verbosity of the logging with 
>>> unbound-control, but still I don???t find anything yet that I 
>>> could use for this purpose.
>> On BSD I'd say use a pf rule to block the IP for a time period if
>> X many concurrent states to port 53. Is something like that
>> possible with iptables on Linux?
> 
> That would work on a general denial of service scenario (rate
> limiting) but the OP wanted to block the client after X connections
> to the same domain and with pf (and probably iptables) you cannot
> log the requested domainname; you will need some userlevel magic
> here.

if you set log-queries: yes then it logs: time, IP, name, type, class
and this you can maybe use as input to that userlevel script.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKlbeAAoJEJ9vHC1+BF+NvuoQALHIRMK9Y2/s/fcBVL0iBX25
rwefa+9IGTma+QnmD0RKjZbM2IxRMLIO5o8CTNCLgnr7vhezWSi9PE8US3jsA6lm
Bo/QSjyjYbPyXiur5nIF5XgM4JuAvL13D2EB/C1nrYoK3VQTAYSD3qsnyjXLkHUI
t/hTgqgNnqA7WLfGKA9jr6uqYkTsDIT3UEP7ENTkssH1nHCaO4h+ZFKikKo8P9Ql
Ou0+jOBSn75p4E6RUwEQGvRlIpLD/D3T64+upc6u9bjwMiI8+OCguOq+Z6js75mQ
vPbxdEkjjKIxgoeghmj+9Qfheser0xXgkcNYj5sdY4wGQNyuLLMNgglGBmYGLPdV
cLozbK66Sd+RcdTd/mk9aUuB28gNjlkXjAHGDy+5WGc4Cp0nrIUtiNrps1jDbY8A
r7RwAz40tzrxiigOPT3m2s4wQ7D38itAO1x2wPKKx2Nat8/yzt9wndscNQ5iwOKG
DnuPzsY1SHyeLZFyeBrx6KEQQ/nvEDnI0K+jwjzwgG4h8MfVylA5nBhpdklYmsDy
LReCzb/6FCzCdnfrPGhRYOuoBMdLZFNThbxjvd87uhlhe/gqDn9fEPQ4yYf9IBOL
3phYEenvplJQPyLuerop24IxIu3lTS8VwcbRwMZwyoPqjtv2Z2V5+6AmSEjH8iLQ
axep8ZGlmmISRtXBOgof
=Iy6b
-----END PGP SIGNATURE-----