Discussion:
[Unbound-users] Log deny client
Lorenzo Mainardi
2015-04-15 10:44:05 UTC
Permalink
Hello to everyone,

I mantain a list of domains used for DNS amplification attack in
/etc/unbound/local.d/blacklist.conf

This file contains lines like this one:



local-zone: "9222hh.com" deny



Can I log this to identify the client sending the request?

I see on the new release the inform feature, but the inform will reply
anyway to query.

Do you have any suggestions?





digitel



Ing. Lorenzo Mainardi



Via della Fortezza 6 - 50129 Firenze

<http://www.digitelitalia.com/> www.digitelitalia.com - 800 901 669



Tel +39 055 4624933

Fax +39 055 4624 947

***@digitelitalia.com <mailto:***@digitelitalia.com>
W.C.A. Wijngaards
2015-04-16 10:31:37 UTC
Permalink
Hi Lorenzo,
Post by Lorenzo Mainardi
Hello to everyone,
I mantain a list of domains used for DNS amplification attack in
/etc/unbound/local.d/blacklist.conf
local-zone: "9222hh.com" deny
Can I log this to identify the client sending the request?
I see on the new release the inform feature, but the inform will
reply anyway to query.
Do you have any suggestions?
I have implemented inform_deny that logs and drops, in the code
repository.

You could set a stub-zone to an address that does not reply, as a
workaround.

Best regards,
Wouter
Post by Lorenzo Mainardi
* *
*dig**it**el*
Ing. Lorenzo Mainardi//
Via della Fortezza 6 - 50129 Firenze
www.digitelitalia.com <http://www.digitelitalia.com/> - 800 901
669
Tel +39 055 4624933
Fax +39 055 4624 947
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Loading...