unbound has a bunch of `ratelimit` options that may help you out. On Tue, Apr 10, 2018 at 12:27 AM, W.C.A. Wijngaards via Unbound-users < [email protected]> wrote:
> Hi Mahdi, > > This may not be what you are looking for but the just released > aggressive-nsec: yes option uses DNSSEC aggressive NSEC processing to > cache more NXDOMAINs per upstream lookup, and more quickly respond to > NXDOMAINs, resulting in less upstream traffic and less load on the > server for NXDOMAINS. > > Best regards, Wouter > > On 10/04/18 08:45, Mahdi Adnan via Unbound-users wrote: > > Thank you all for your response, > > > > > > -- > > > > Respectfully* > > **Mahdi A. Mahdi* > > > > ------------------------------------------------------------------------ > > *From:* Paul Vixie <[email protected]> > > *Sent:* Monday, April 9, 2018 11:37 PM > > *To:* Rainer Duffner > > *Cc:* Mahdi Adnan; [email protected] > > *Subject:* Re: DGA Attack mitigation > > > > > > > > Rainer Duffner via Unbound-users wrote: > >> > >> > >>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users > >>> <[email protected] <mailto:[email protected]>>: > >>> > >>> Im running 20 Unbound servers and around 20% of response are NXDOMAIN, > >>> for queries coming from my clients. > >> > >> > >> > >> Block those IPs that are obviously p4wned until they clean up their PCs? > > > > the source addresses are forged. the victims are not unclean in any way. > > this is why rrl exists. > > > > -- P Vixie > > > > >
