Fail2ban Ruleset for Unbound DNS Server

I’ve been running the unbound DNS resolver for a while now. I find that sometimes clients hammer the resolver with duplicate queries. I also run the fail2ban log watcher to track repeated failures and block them for a bit. Trying to do this with the unbound dns log has been interesting. Really, I want fail2ban to block queries from the same client after 3 queries in less than 5 seconds. I haven’t quite figured it out, as it seems the limiting factor is fail2ban. I can probably do the same thing in an ipfw ruleset.

For the time being, I published what I have in my fail2ban unbound gitorious repository. Feel free to hack away at it. I hear the next version of fail2ban will allow for conditionals to make the ruleset more effective.

I ended up working with someone to create the ruleset and experiment. His name is listed as author as I ended up scrapping my work and using his.

originally published at

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s