[dnsdist] Filter SERVFAILS by destination domain
Alejandro Adroher Mellado
alejandro.adroher at omniaccess.com
Mon Feb 29 16:56:08 UTC 2016
Hi all,
I'm working with dynamic blocks on my environment.
I'm doing the next, easy currently:
function maintenance()
toBlock = exceedQRate(300, 10)
for k, v in pairs(toBlock) do
if (whitelisted:match(k))
then
toBlock[k] = nil
end
end
addDynBlocks(toBlock, "Exceeded query rate", 60)
end
-----------------------------------------------------------------------
Now I would like to go for the SERVFAILS, I must have my resolver opened by company reasons so, I would like to deal with that.
I know I can use --> exceedServFails(rate, seconds)
But I would do that by source IP and also by requested serverfailed domain, I mean, respecting my whitelist I would like to drop an IP when it gets more than X SERVFAILS for one specific domain.
Today I received responded like 500k SERVERFAILS asking for xxxxxxxx.shop.vvtjhq.com, I added a rule to manually block the domain but I would like to improve my script.
I know how to rate by IP but no for the domain queried. I´m on production and I don't want to broke anything doing wrong tests .. XD
Can someone show me one way?
Thank a lot.
Ale
More information about the dnsdist
mailing list