Maintained by: NLnet Labs

[Unbound-users] Unbound not resolving after ISC.org attack

Dominick Rivard
Wed Mar 13 19:52:25 CET 2013


Hi,

 

I am trying to find the cause of an issue we have been experiencing last
Thursday. We are running multiple Unbound servers 

In order to provide internet to our users. I would say we were under attack
with a couple of IPs trying to request as many as possible records for “ANY?
isc.org.”. The DNS were resolving until a certain period of time where it
became just impossible to resolve anything. My first try was to restart the
unbound service and it worked for a couple of second, then it failed again.
Next step was to block these IPs with iptables, but still it wasn’t
resolving, even after a second restart of the unbound service. 

 

What resolved the issue was to route the trafic to a different NAT ip so the
unbound servers were seen as a different public ip when going to internet.
At that point I thought I could have been throttled or blacklisted by the
roots servers.  I wrote to them and they explain to me that they don’t have
such a mean to  limite the rate of queries or throttle any of our request. 

 

So I am turning to you guys to ask some question what could be slowing me
down or blocking me from my local unbound server to resolve any name? Is
there any configuration I  need to change? 

 

How would you prevent these kind of attack in the future?

 

Unbound version: 1.4.18

OS: Debian Squeeze 6.0.6

 

Best regards.

Dominick Rivard,
Solutions Architect

image001

5275 Queen Mary 
Montréal, Qc
H3W 1Y3
Tel: 514-385-4448 ext 126
Fax: 514-385-6660

Notice: This message is confidential and privileged. If you are not the
addressee, please inform the sender by return e-mail immediately and delete
this message and destroy all copies.

Avis : Ce message est confidentiel et protégé par le secret professionnel.
Si vous n’êtes pas le destinataire, veuillez informer l’expéditeur par
courrier électronique immédiatement et effacer ce message et en détruire
toute copie. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130313/ef1712e3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2872 bytes
Desc: not available
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130313/ef1712e3/attachment.jpg>