Maintained by: NLnet Labs

[Unbound-users] Unbound as public DNSSEC resolver

lst_hoe02 at
Wed Oct 13 18:24:05 CEST 2010

Zitat von lst_hoe02 at

> Zitat von lst_hoe02 at
>> Ups, sorry. I forgot to disable S/MIME for the list-mail.
>> But the question remains:
>> What is "best practice" to limit the resources used and to be a  
>> good citizen when using unbound as public DNSSEC aware resolver, or  
>> is it no recommended at all?
> Still no answer for this one so i guess it is not recommended at all...

Okay, so it boils down to the danger of being used as amplification in  
a DoS with spoofed UDP source IP addresses. I will see what can be  
done with ipt_recent and low resource settings to avoid DoS  
amplification as much as possible.