[dnsdist] non ascii characters in dns requests
ccppprogrammer
ccppprogrammer at gmail.com
Tue Feb 21 16:15:15 UTC 2017
I have only drop rules so no one affecting it.
On Tue, Feb 21, 2017 at 4:33 PM, Alejandro Adroher Mellado <
alejandro.adroher at omniaccess.com> wrote:
> Have you tried to move these rules (117 & 118) to the first positions?
>
>
>
> May any other rule be affecting this queries.
>
>
>
>
>
> *From:* dnsdist [mailto:dnsdist-bounces at mailman.powerdns.com] *On Behalf
> Of *ccppprogrammer
> *Sent:* martes, 21 de febrero de 2017 11:10
> *To:* dnsdist at mailman.powerdns.com
> *Subject:* [dnsdist] non ascii characters in dns requests
>
>
>
> Dear All!
>
> I have weird DNS attacks where attackers requests dns name with non ascii
> characters (\032 at the end of domain name). Because of that dnsdist can't
> filter such dns requests. I tried filter with and without non ascii
> characters but without success.
>
> Any suggestions what to do in such situation?
>
> Thanks in advance!
>
>
>
> 13:01:38.217462 IP 108.32.239.244.50742 > x.x.x.x.53: 62447+ A?
> xhtlaakmz.jiang.com . (38)
>
> 13:01:38.288748 IP 41.141.90.47.43849 > x.x.x.x.53: 11866+ A?
> nopqefguiwxym.jiang.com . (42)
>
> 13:01:38.309814 IP 47.169.20.171.29181 > x.x.x.x.53: 43540+ A?
> gpg.jiang.com . (32)
>
>
>
> > topQueries(20,2)
>
> 1 jiang.com\032. 9415 94.2%
>
>
>
> > showRules()
>
> # Matches Rule Action
>
> 117 0 qname==jiang.com\032. drop
>
> 118 0 qname==jiang.com. drop
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20170221/e4cd75c3/attachment.html>
More information about the dnsdist
mailing list