[dnsdist] Filter SERVFAILS by destination domain
Alejandro Adroher Mellado
alejandro.adroher at omniaccess.com
Wed Mar 2 09:45:44 UTC 2016
Hi all,
I'm working with dynamic blocks on my environment.
I'm doing the next, easy currently:
function maintenance()
toBlock = exceedQRate(300, 10)
for k, v in pairs(toBlock) do
if (whitelisted:match(k))
then
toBlock[k] = nil
end
end
addDynBlocks(toBlock, "Exceeded query rate", 60) end
-----------------------------------------------------------------------
Now I would like to go for the SERVFAILS, I must have my resolver opened by company reasons so, I would like to deal with that.
I know I can use --> exceedServFails(rate, seconds)
But I would do that by source IP and also by requested serverfailed domain, I mean, respecting my whitelist I would like to drop all queries for specific domain when we get more than X SERVFAILS for itself.
Today I received responded like 500k SERVERFAILS asking for xxxxxxxx.shop.vvtjhq.com, I added a rule to manually block the domain but I would like to improve my script.
I know how to rate by IP but no for the domain queried. I´m on production and I don't want to broke anything doing wrong tests .. XD (I will have my test environment ... I promise .. XD )
Can someone show me one way?
Thank a lot.
Ale
More information about the dnsdist
mailing list