Subject: Re: question on ACL Date: Wed, Jun 11, 2025 at 11:48:41AM +0200 Quoting Yorgos Thessalonikefs via Unbound-users (unbound-users@lists.nlnetlabs.nl): > Hi Måns, > > Not allowing 127.0.0.1 in the access-control forbids DNS queries from that > localhost address to Unbound. The daemon itself does not rely on that > address and you can forbid it if you don't want queries from that address.
Ok. It just was too good a coincidence to not follow up. :-) > Now with me just assuming based on what you shared, I believe during the > DDOS attack Unbound started caching resolution failures (for the queries > themselves and the infrastructure cache). > Reloading Unbound clears all that state. Makes sense. > For SERVFAILs of individual queries (Unbound could not resolve for reasons) > these stay in the cache for 5 seconds and work as a back off mechanism. > > For the infrastructure failures (Unbound can not reach nameservers or > timeouts start piling up) you have a couple of options: <snip> > Hope that helps. It helps, and a lot. I'm grateful for the answer and the links. Thanks! /Måns -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 A can of ASPARAGUS, 73 pigeons, some LIVE ammo, and a FROZEN DAQUIRI!!
signature.asc
Description: PGP signature
