Maintained by: NLnet Labs

[Unbound-users] Random subdomain flood query

Wed Apr 1 19:34:48 CEST 2015

2015-04-02 0:51 GMT+09:00 Daniel Ryslink <daniel.ryslink at>:

> However, you can maintain local zone list in unbound automatically fairly
> easily, we have been doing it for over a year with minimal necessity of
> manual intervention. If you wish, have a look at the attached perl script.

unbound-bloomfilter's attack detection mechanisms implement almost
same thing as your script.
I used public suffix list (source code embedded, currently)  to
determine depth of blocking domain
which corresponds to your "third_level_domains.conf".

Note that the bloomfilter itself is a way to reduce collateral damage
caused by filtering.
Of course to reduce damage caused by wrong (false positive) filtering and
to accept legitimate queries for the filtered domain

> The only other option is to persuade the users of  the compromised machines
> to clean their systems.

I agree.

 Daisuke HIGASHI