[dnsdist] Block Random queries
Alejandro Adroher Mellado
alejandro.adroher at omniaccess.com
Wed Jun 8 15:07:55 UTC 2016
Did you use dnsdist?
Can be easy to do using regular expressions
addAction(RegexRule("[0-9]{5,}"), DelayAction(750)) -- milliseconds
addAction(RegexRule("[0-9]{4,}\\.cn$"), DropAction())
From: dnsdist [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Federico Olivieri
Sent: miércoles, 8 de junio de 2016 16:54
To: Aleš Rygl <ales at rygl.net>
Cc: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Block Random queries
Hi guys for both responses. I was thinking more something to u32 module on iptables. Let me be clear: the only fix values are the length of the random charters that is "8" and the mix letters/numbers. What I was trying to do is something like:
If the first 8 characters are random
and there are more then 2 numbers
then block
else allow
Anyone can suggest me something for that?
Regards
Federico
2016-06-08 14:55 GMT+01:00 Aleš Rygl <ales at rygl.net<mailto:ales at rygl.net>>:
Hi Frederico.
It is imho almost impossible to block such queries. They are usually running at low rates per client per second but from many clients... I have already opened a feature request for a dynamic rule that would allow to insert rules based on dnsdist statistics of responses: https://github.com/PowerDNS/pdns/issues/3888
In the mean time it could be done by an external script grabing topResponses from dnsdist, analyzing them ans install a rule.
Regards
Ales
On Wed, 8 Jun 2016 13:53:37 +0100, Federico Olivieri wrote:
Hi everybody,
My server receives some random queries as xfz3421xc.domain.com<http://xfz3421xc.domain.com>, jh65jj3e.domain2.com<http://jh65jj3e.domain2.com>
Can someone suggests some LUA script to block these kind of random queries?
Thanks
Federico
_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com<mailto:dnsdist at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160608/fae54dd5/attachment-0001.html>
More information about the dnsdist
mailing list