Maintained by: NLnet Labs

[Unbound-users] Unbound DDoS / reflexion attack counter-measure ?

Tom
Sat May 31 01:32:03 CEST 2014


Hi,

> If your server does not need to be open to the world, you could restrict
> queries to the subnets you control by adding "access-control:
> <subnet>/<mask> allow".

I do have access-control lines but because I had so many I removed them 
for clarity but I forgot to keep a few. As an ISP, we have customers 
that have obviously malware running on their networks/hosts we cannot 
control.

So my config actually looks like this :

server:
         verbosity: 1
         interface-automatic: yes
         outgoing-range: 950
         outgoing-num-tcp: 50
         incoming-num-tcp: 50
         so-rcvbuf: 4m
         msg-cache-size: 50m
         jostle-timeout: 1000
         rrset-cache-size: 100m
         root-hints: "named.cache"
         access-control: 127.0.0.0/8 allow
         access-control: ::1 allow
         access-control: 2407:6800:xx:xx::/64 allow
         access-control: 192.168.0.0/16 allow
         access-control: 123.xxx.xxx.xxx/17 allow
         [..]
         hide-identity: yes
         hide-version: yes
         prefetch: yes
         prefetch-key: yes
         auto-trust-anchor-file: "root.key"

python:
remote-control:
         control-enable: yes

Sorry for the oversight.

Thomas