[dnsdist] Block Random queries

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Wed Jun 8 15:07:55 UTC 2016

Did you use dnsdist?

Can be easy to do using regular expressions

addAction(RegexRule("[0-9]{5,}"), DelayAction(750)) -- milliseconds
addAction(RegexRule("[0-9]{4,}\\.cn$"), DropAction())

From: dnsdist [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Federico Olivieri
Sent: miércoles, 8 de junio de 2016 16:54
To: Aleš Rygl <ales at rygl.net>
Cc: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Block Random queries

Hi guys for both responses. I was thinking more something to u32 module on iptables. Let me be clear: the only fix values are the length of the random charters that is "8" and the mix letters/numbers. What I was trying to do is something like:

If the first 8 characters are random
and there are more then 2 numbers
then block
else allow

Anyone can suggest me something for that?



2016-06-08 14:55 GMT+01:00 Aleš Rygl <ales at rygl.net<mailto:ales at rygl.net>>:

Hi Frederico.

It is imho almost impossible to block such queries. They are usually running at low rates per client per second but from many clients... I have already opened a feature request for a dynamic rule that would allow to insert rules based on dnsdist statistics of responses: https://github.com/PowerDNS/pdns/issues/3888

In the mean time it could be done by an external script grabing topResponses from dnsdist, analyzing them ans install a rule.



On Wed, 8 Jun 2016 13:53:37 +0100, Federico Olivieri wrote:
Hi everybody,
My server receives some random queries as xfz3421xc.domain.com<http://xfz3421xc.domain.com>, jh65jj3e.domain2.com<http://jh65jj3e.domain2.com>
Can someone suggests some LUA script to block these kind of random queries?


dnsdist mailing list
dnsdist at mailman.powerdns.com<mailto:dnsdist at mailman.powerdns.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160608/fae54dd5/attachment-0001.html>

More information about the dnsdist mailing list