thank you all "unbound-control get_option access-control" shows a list of IP blocks I have allowed/denied.
I have also done the explicit deny and recommended config hardening. I will monitor and see if the issue reoccurs. Thank you izake On Mon, Mar 24, 2025 at 10:48 AM <unbound-users-requ...@lists.nlnetlabs.nl> wrote: > Send Unbound-users mailing list submissions to > unbound-users@lists.nlnetlabs.nl > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > or, via email, send a message with subject or body 'help' to > unbound-users-requ...@lists.nlnetlabs.nl > > You can reach the person managing the list at > unbound-users-ow...@lists.nlnetlabs.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Unbound-users digest..." > > > Today's Topics: > > 1. Unbound dns resolver involved in DNS Amplification attack > (sir izake) > 2. Re: Unbound dns resolver involved in DNS Amplification attack > (Yuri) > 3. Re: Unbound dns resolver involved in DNS Amplification attack > (Cristiano Deana) > 4. Re: Unbound dns resolver involved in DNS Amplification attack > (Yuri) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 24 Mar 2025 10:18:38 +0000 > From: sir izake <siriz...@gmail.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: Unbound dns resolver involved in DNS Amplification attack > Message-ID: > < > caacq5hcu_6i_hqapfuaqwezhee_wd9mqdauo4njjigh8cmz...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi > > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 > server. It is configured to only respond to queries from the local host and > my network IP block. > > Recently, I detected my server was involved in a DNS amplification attack. > By default unbound doesn't respond to any query outside those allowed in > the access list in the config file. How do I uncover the source IPs > involved and potentially block them. > > Are there other options I need to enable to prevent further amplification > attacks? > > I have checked the server and don't see any suspicious process running. > > Your support and advice is greatly appreciated. > > Regards > izake > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/a68a1439/attachment-0001.htm > > > > ------------------------------ > > Message: 2 > Date: Mon, 24 Mar 2025 15:32:42 +0500 > From: Yuri <yvoi...@gmail.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: Re: Unbound dns resolver involved in DNS Amplification attack > Message-ID: <c957df77-cc37-4d5a-9dc0-8f3e78f0c...@gmail.com> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > To begin, restrict access from outside using standard Unbound > configuration (example from one of my setups): > > ??? access-control: 0.0.0.0/0 refuse > ??? access-control: 127.0.0.0/8 allow_snoop > ??? access-control: 192.168.0.0/16 allow_snoop > ??? access-control: 172.16.0.0/12 allow_snoop > ??? access-control: ::0/0 refuse > ??? access-control: ::1 allow > ??? access-control: ::ffff:127.0.0.1 allow > > Additionally, cut off external access with a server firewall and/or on > the border. And finally, check the internal network to see if it is > trooped. > > 24.03.2025 15:18, sir izake via Unbound-users ?????: > > Hi > > > > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 > > server. It is configured to only respond to queries from the local > > host and my network IP block. > > > > Recently, I detected my server was involved in a DNS amplification > > attack.? By default unbound doesn't respond to any query outside those > > allowed in the access list in the config file. How do I uncover the > > source IPs involved and potentially block them. > > > > Are there other options I need to enable to prevent further > > amplification attacks? > > > > I have checked the server and don't?see any suspicious process running. > > > > Your support and advice is greatly appreciated. > > > > Regards > > izake > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/45920e7f/attachment-0001.htm > > > > ------------------------------ > > Message: 3 > Date: Mon, 24 Mar 2025 11:33:26 +0100 > From: Cristiano Deana <cristiano.de...@megaweb.it> > To: unbound-users@lists.nlnetlabs.nl > Subject: Re: Unbound dns resolver involved in DNS Amplification attack > Message-ID: <b25581c2-8068-440a-b590-f0e3ad612...@megaweb.it> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto: > > Hi, > > > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 > > server. It is configured to only respond to queries from the local host > > and my network IP block. > > what do you get with `unbound-control get_option access-control'? > > > Recently, I detected my server was involved in a DNS amplification > > attack.? By default unbound doesn't respond to any query outside those > > allowed in the access list in the config file. How do I uncover the > > source IPs involved and potentially block them. > > > > Are there other options I need to enable to prevent further > > amplification attacks? > > > > I have checked the server and don't?see any suspicious process running. > > > > Your support and advice is greatly appreciated. > > > > Regards > > izake > > -- > > ############################### > # Cristiano Deana # > # # > # Senior Network Engineer # > # Digital Response Team # > # CittaStudi S.p.a. # > # off. +39 015 855 1172 # > # cell +39 328 310 6392 # > ############################### > > > > ------------------------------ > > Message: 4 > Date: Mon, 24 Mar 2025 15:48:03 +0500 > From: Yuri <yvoi...@gmail.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: Re: Unbound dns resolver involved in DNS Amplification attack > Message-ID: <55c63a28-03e3-4bbf-9b58-80b5786c9...@gmail.com> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Ah, I was inattentive. It seems to me that a consistent set of actions > is needed here, as in the case of an incident. Listening to traffic - in > order to catch illegitimate traffic and try to determine its source. > Scanning the external access point for open ports. Checking the firewall > and routing settings. And - yes, of course, it is worth starting with > checking the config and its hardening. > > 24.03.2025 15:33, Cristiano Deana via Unbound-users ?????: > > Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto: > > > > Hi, > > > >> I run an unbound dns cache resolver (version 1.22.0) on a freebsd > >> 14.2 server. It is configured to only respond to queries from the > >> local host and my network IP block. > > > > what do you get with `unbound-control get_option access-control'? > > > >> Recently, I detected my server was involved in a DNS amplification > >> attack.? By default unbound doesn't respond to any query outside > >> those allowed in the access list in the config file. How do I uncover > >> the source IPs involved and potentially block them. > >> > >> Are there other options I need to enable to prevent further > >> amplification attacks? > >> > >> I have checked the server and don't?see any suspicious process running. > >> > >> Your support and advice is greatly appreciated. > >> > >> Regards > >> izake > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/b2d8cd29/attachment.htm > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Unbound-users mailing list > Unbound-users@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > > > ------------------------------ > > End of Unbound-users Digest, Vol 63, Issue 9 > ******************************************** >
