Re: DGA Attack mitigation

2018-04-09 Thread Paul Vixie via Unbound-users
Rainer Duffner via Unbound-users wrote: Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users >: Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients. Block those

Re: DGA Attack mitigation

2018-04-09 Thread Eduardo Schoedler via Unbound-users
2018-04-09 16:15 GMT-03:00 Paul Vixie via Unbound-users : > > > Rainer Duffner via Unbound-users wrote: >> >> >> >>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users >>> >: >>> >>> Im running 20

Re: DGA Attack mitigation

2018-04-09 Thread Paul Vixie via Unbound-users
Rainer Duffner wrote: Am 09.04.2018 um 21:15 schrieb Paul Vixie >: the source addresses are forged. the victims are not unclean in any way. this is why rrl exists. ... Most people using our resolvers use our CPE, our lines, our servers…. And the

Re: DGA Attack mitigation

2018-04-09 Thread Rainer Duffner via Unbound-users
> Am 09.04.2018 um 21:15 schrieb Paul Vixie : > > the source addresses are forged. the victims are not unclean in any way. this > is why rrl exists. Sorry. We „know“ our clients, mostly. Obviously, we’re a smaller shop. Most people using our resolvers use our CPE, our

Re: DGA Attack mitigation

2018-04-09 Thread Rainer Duffner via Unbound-users
> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users > : > > Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for > queries coming from my clients. Block those IPs that are obviously p4wned until they clean up their PCs?

Re: DGA Attack mitigation

2018-04-09 Thread Petr Špaček via Unbound-users
Hi, generally speaking 20 % of NXDOMAIN (or even more) is about normal pattern we see in normal traffic. Blame Google Chrome and the like, they use it do detect DNS hijacking. Aggressive use of DNSSEC-validated cache will help for signed zones but there is no real 'solution' except fixing

Re: DGA Attack mitigation

2018-04-09 Thread Mahdi Adnan via Unbound-users
It's no easy to block my clients and ask them to clean up their machines. They will switch to another service instead of cleaning. -- Respectfully Mahdi A. Mahdi From: Rainer Duffner Sent: Monday, April 9, 2018 9:12 PM To: Mahdi Adnan

DGA Attack mitigation

2018-04-09 Thread Mahdi Adnan via Unbound-users
Hi, Im wondering how Unbound users are handling DGA and DGA like attacks. Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients. Anyone experienced this kind of attack before ? if so, how do you protect your servers against it ? is there

Re: serve-expired seems to break flush_zone

2018-04-09 Thread Marc Branchaud via Unbound-users
On 2018-04-09 03:40 AM, W.C.A. Wijngaards wrote: Hi Marc, I can confirm that the patch fixes my test case (in 1.6.7). The documentation update also looks good. Thanks for the quick response! M. On 06/04/18 17:05, Marc Branchaud wrote: On 2018-04-06 02:47 AM, W.C.A.

Re: serve-expired seems to break flush_zone

2018-04-09 Thread W.C.A. Wijngaards via Unbound-users
Hi Marc, On 06/04/18 17:05, Marc Branchaud wrote: > On 2018-04-06 02:47 AM, W.C.A. Wijngaards via Unbound-users wrote: >> Hi Marc, >> >> On 04/04/18 20:29, Marc Branchaud via Unbound-users wrote: >>> Hi all, >>> >>> I have a simple forward-everything setup with serve-expired enabled: >>> >>>