Hi
I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 server. It is configured to only respond to queries from the local host and my network IP block.
Recently, I detected my server was involved in a DNS amplification attack. By default unbound doesn’t respond to any query outside those allowed in the access list in the config file. How do I uncover the source IPs involved and potentially block them.
Are there other options I need to enable to prevent further amplification attacks?
I have checked the server and don’t see any suspicious process running.
Your support and advice is greatly appreciated.
Regards
izake
To begin, restrict access from outside using standard Unbound configuration (example from one of my setups):
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow_snoop
access-control: 192.168.0.0/16 allow_snoop
access-control: 172.16.0.0/12 allow_snoop
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
Additionally, cut off external access with a server firewall and/or on the border. And finally, check the internal network to see if it is trooped.
Hi,
I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 server. It is configured to only respond to queries from the local host and my network IP block.
what do you get with `unbound-control get_option access-control'?
Ah, I was inattentive. It seems to me that a consistent set of actions is needed here, as in the case of an incident. Listening to traffic - in order to catch illegitimate traffic and try to determine its source. Scanning the external access point for open ports. Checking the firewall and routing settings. And - yes, of course, it is worth starting with checking the config and its hardening.