Ah, I was inattentive. It seems to me that a consistent set of actions
is needed here, as in the case of an incident. Listening to traffic - in
order to catch illegitimate traffic and try to determine its source.
Scanning the external access point for open ports. Checking the firewall
and routing settings. And - yes, of course, it is worth starting with
checking the config and its hardening.
24.03.2025 15:33, Cristiano Deana via Unbound-users пишет:
Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto:
Hi,
I run an unbound dns cache resolver (version 1.22.0) on a freebsd
14.2 server. It is configured to only respond to queries from the
local host and my network IP block.
what do you get with `unbound-control get_option access-control'?
Recently, I detected my server was involved in a DNS amplification
attack. By default unbound doesn't respond to any query outside
those allowed in the access list in the config file. How do I uncover
the source IPs involved and potentially block them.
Are there other options I need to enable to prevent further
amplification attacks?
I have checked the server and don't see any suspicious process running.
Your support and advice is greatly appreciated.
Regards
izake
