2018-04-09 16:15 GMT-03:00 Paul Vixie via Unbound-users <[email protected]>: > > > Rainer Duffner via Unbound-users wrote: >> >> >> >>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users >>> <[email protected] <mailto:[email protected]>>: >>> >>> Im running 20 Unbound servers and around 20% of response are NXDOMAIN, >>> for queries coming from my clients. >> >> >> >> >> Block those IPs that are obviously p4wned until they clean up their PCs? > > > the source addresses are forged. the victims are not unclean in any way. > this is why rrl exists.
I drop queries in firewall by string. #/sbin/iptables -A DNS -m string --algo bm --hex-string '|04|wpad|06|domain|04|name|' --to 255 -j DROP -m comment --comment "DROP wpad.domain.name" -- Eduardo Schoedler
