Maintained by: NLnet Labs

[Unbound-users] Unbound Logging

Dominick Rivard
Thu Feb 2 15:28:54 CET 2012


Thank you, everyone for your I'll test the log queries today on my testing
environment if I can get fail2ban to work with this log I will keep you
inform. The reason I want to use fail2ban is to automate the process of
banning the ip without having to manually create iptable rules by hand and
then manage them each time I have to add one. If this doesn't work I'll test
the iptables based on time.

Thank you!
Dominick


-----Original Message-----
From: unbound-users-bounces at unbound.net
[mailto:unbound-users-bounces at unbound.net] On Behalf Of W.C.A. Wijngaards
Sent: Thursday, February 02, 2012 4:27 AM
To: unbound-users at unbound.net
Subject: Re: [Unbound-users] Unbound Logging

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2012 09:53 AM, Oliver Peter wrote:
> On Wed, Feb 01, 2012 at 05:24:50PM -0600, Mark Felder wrote:
>> On 01.02.2012 10:49, Dominick Rivard wrote:
>>> I am using Unbound to serve a public DNS server and I am looking for 
>>> a way to prevent bot or server degrading my service by requesting 
>>> the same domain name like 10 times per seconds. I thought of using 
>>> fail2ban but for that I need to get the ip of the requester 
>>> somewhere in the log, so I tried analyzing the log and changed the 
>>> verbosity of the logging with unbound-control, but still I don???t 
>>> find anything yet that I could use for this purpose.
>> On BSD I'd say use a pf rule to block the IP for a time period if X 
>> many concurrent states to port 53. Is something like that possible 
>> with iptables on Linux?
> 
> That would work on a general denial of service scenario (rate
> limiting) but the OP wanted to block the client after X connections to 
> the same domain and with pf (and probably iptables) you cannot log the 
> requested domainname; you will need some userlevel magic here.

if you set log-queries: yes then it logs: time, IP, name, type, class and
this you can maybe use as input to that userlevel script.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKlbeAAoJEJ9vHC1+BF+NvuoQALHIRMK9Y2/s/fcBVL0iBX25
rwefa+9IGTma+QnmD0RKjZbM2IxRMLIO5o8CTNCLgnr7vhezWSi9PE8US3jsA6lm
Bo/QSjyjYbPyXiur5nIF5XgM4JuAvL13D2EB/C1nrYoK3VQTAYSD3qsnyjXLkHUI
t/hTgqgNnqA7WLfGKA9jr6uqYkTsDIT3UEP7ENTkssH1nHCaO4h+ZFKikKo8P9Ql
Ou0+jOBSn75p4E6RUwEQGvRlIpLD/D3T64+upc6u9bjwMiI8+OCguOq+Z6js75mQ
vPbxdEkjjKIxgoeghmj+9Qfheser0xXgkcNYj5sdY4wGQNyuLLMNgglGBmYGLPdV
cLozbK66Sd+RcdTd/mk9aUuB28gNjlkXjAHGDy+5WGc4Cp0nrIUtiNrps1jDbY8A
r7RwAz40tzrxiigOPT3m2s4wQ7D38itAO1x2wPKKx2Nat8/yzt9wndscNQ5iwOKG
DnuPzsY1SHyeLZFyeBrx6KEQQ/nvEDnI0K+jwjzwgG4h8MfVylA5nBhpdklYmsDy
LReCzb/6FCzCdnfrPGhRYOuoBMdLZFNThbxjvd87uhlhe/gqDn9fEPQ4yYf9IBOL
3phYEenvplJQPyLuerop24IxIu3lTS8VwcbRwMZwyoPqjtv2Z2V5+6AmSEjH8iLQ
axep8ZGlmmISRtXBOgof
=Iy6b
-----END PGP SIGNATURE-----
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users