Maintained by: NLnet Labs

Fwd: refuse ANY queries

Eric Luehrsen
Fri Sep 1 14:59:57 CEST 2017


That is not off topic at all. You could use python plugins to facilitate this. The Unbound python plugin documentation/examples page has a blcklist DNS example. It could be modified to trigger blacklist entries on query metrics. You can blacklist requesters through Unbound access control settings. You can blacklist domain responses by creating empty static domains. It seems you can mix the two with the new "views" feature.

- Eric


-------- Original message --------
From: Aleš Rygl via Unbound-users <unbound-users at unbound.net>
Date: 9/1/17 06:51 (GMT-05:00)
To: unbound-users at unbound.net
Subject: Re: refuse ANY queries

Hi,

it is rather off-topic but it could help you: we use dnsdist DNS balancer to
fight with various types of attacks including excessive amount of ANY queries.
You can set up a rule counting queries per IP within a certain amount of time
and react then. We have Unbound backends. 50kqps is a piece of cake.

BR

Aleš


> BTW it is possible to play nasty tricks and reply with an 'actual' ANY:
>
> local-zone: "example.com." typetransparent
> local-data: "example.com. TYPE255 \# 1 00"
>
> I hope such answer will break the botnet we are fighting against!
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170901/78222d0f/attachment.html>