Hello to everyone,
I mantain a list of domains used for DNS amplification attack in /etc/unbound/local.d/blacklist.conf
This file contains lines like this one:
local-zone: “9222hh.com” deny
Can I log this to identify the client sending the request?
I see on the new release the inform feature, but the inform will reply anyway to query.
Do you have any suggestions?
digitel
Ing. Lorenzo Mainardi
Via della Fortezza 6 - 50129 Firenze
www.digitelitalia.com - 800 901 669
Tel +39 055 4624933
Fax +39 055 4624 947
lom@digitelitalia.com
Wouter
2
Hi Lorenzo,
Hello to everyone,
I mantain a list of domains used for DNS amplification attack in
/etc/unbound/local.d/blacklist.conf
This file contains lines like this one:
local-zone: "9222hh.com" deny
Can I log this to identify the client sending the request?
I see on the new release the inform feature, but the inform will
reply anyway to query.
Do you have any suggestions?
I have implemented inform_deny that logs and drops, in the code
repository.
You could set a stub-zone to an address that does not reply, as a
workaround.
Best regards,
Wouter