I've been running the unbound DNS resolver for a while now. I find that sometimes clients hammer the resolver with duplicate queries. I also run the fail2ban log watcher to track repeated failures and block them for a bit. Trying to do this with the unbound dns log has been interesting. Really, I want fail2ban to block queries from the same client after 3 queries in less than 5 seconds. I haven't quite figured it out, as it seems the limiting factor is fail2ban. I can probably do the same thing in an ipfw ruleset.
For the time being, I published what I have in my fail2ban unbound gitorious repository. Feel free to hack away at it. I hear the next version of fail2ban will allow for conditionals to make the ruleset more effective.
I ended up working with someone to create the ruleset and experiment. His name is listed as author as I ended up scrapping my work and using his.
originally published at wiki.lewman.is