Maintained by: NLnet Labs

DGA Attack mitigation

W.C.A. Wijngaards
Tue Apr 10 09:27:40 CEST 2018


Hi Mahdi,

This may not be what you are looking for but the just released
aggressive-nsec: yes option uses DNSSEC aggressive NSEC processing to
cache more NXDOMAINs per upstream lookup, and more quickly respond to
NXDOMAINs, resulting in less upstream traffic and less load on the
server for NXDOMAINS.

Best regards, Wouter

On 10/04/18 08:45, Mahdi Adnan via Unbound-users wrote:
> Thank you all for your response,
> 
> 
> -- 
> 
> Respectfully*
> **Mahdi A. Mahdi*
> 
> ------------------------------------------------------------------------
> *From:* Paul Vixie <paul at redbarn.org>
> *Sent:* Monday, April 9, 2018 11:37 PM
> *To:* Rainer Duffner
> *Cc:* Mahdi Adnan; unbound-users at unbound.net
> *Subject:* Re: DGA Attack mitigation
>  
> 
> 
> Rainer Duffner via Unbound-users wrote:
>>
>>
>>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users
>>> <unbound-users at unbound.net <mailto:unbound-users at unbound.net>>:
>>>
>>> Im running 20 Unbound servers and around 20% of response are NXDOMAIN,
>>> for queries coming from my clients.
>>
>>
>>
>> Block those IPs that are obviously p4wned until they clean up their PCs?
> 
> the source addresses are forged. the victims are not unclean in any way.
> this is why rrl exists.
> 
> -- P Vixie
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20180410/0d98eeb4/attachment.sig>