To begin, restrict access from outside using standard Unbound
configuration (example from one of my setups):
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow_snoop
access-control: 192.168.0.0/16 allow_snoop
access-control: 172.16.0.0/12 allow_snoop
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
Additionally, cut off external access with a server firewall and/or on
the border. And finally, check the internal network to see if it is trooped.
24.03.2025 15:18, sir izake via Unbound-users пишет:
Hi
I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2
server. It is configured to only respond to queries from the local
host and my network IP block.
Recently, I detected my server was involved in a DNS amplification
attack. By default unbound doesn't respond to any query outside those
allowed in the access list in the config file. How do I uncover the
source IPs involved and potentially block them.
Are there other options I need to enable to prevent further
amplification attacks?
I have checked the server and don't see any suspicious process running.
Your support and advice is greatly appreciated.
Regards
izake
