Maintained by: NLnet Labs

[Unbound-users] New User Questions

Paul Stewart
Thu Oct 9 18:11:25 CEST 2014


Hi everyone..

 

We just moved from BIND over to Unbound (for caching).  One of the issues we
were faced with on our BIND installations was substantial surges in fake
domain name lookups. 

 

How does Unbound deal with these and is there any configuration items that
we should be looking at to contain the effect they have.  We had a customer
recently on a 25X10 VDSL connection (yes, we're an ISP) with some kind of a
virus (or they were participating in a C&C botnet) - they launched about
200k lookups for random subdomains belonging to a valid .cn domain name.
These lookups occurred over approximately 5 minute period.

 

I turned up logging to level "2" and also to level "3" and the amount of
CPU/disk activity drove up drastically which I can understand.  Is there a
level that only logs "interesting" errors?  I set it back to level 1 at this
point to avoid expensive disk writes etc.

 

DNSSEC - we have not enabled DNSSEC previously due to lack of understanding.
As we are only using Unbound for caching purposes, is there a simple step by
step I should be reading up on so we can enable it?  My hope is that as more
folks adopt DNSSEC in their authoritative servers that it cuts down on the
"junk" we are seeing more frequently  and of course provides secure
validation on the actual lookups - is that a safe assumption?

 

Any suggestions, thoughs, input etc much appreciated - sorry for all the
questions :)

 

Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20141009/b2587d3b/attachment.html>