[Pdns-users] Workaround for PowerDNS Security Advisory 2014-02

Vu Le lev.fpt at gmail.com
Wed Dec 10 14:37:46 UTC 2014


> auth-zones is good. Even better would be 'auth-zones-from-file' with
> one domain name per line.
>
> It would also be good to have some more discussion of the best way to
> battle the latest round of <random>.domain lookups from compromised
> clients.  We're currently seeing a significant number of A lookups for
>
> Gpd9LVuC.arkhamnetwork.org.
> KGm3G79l.arkhamnetwork.org.
> L4pEXeQO.arkhamnetwork.org.
> xwpJ2qas.arkhamnetwork.org.
> 4P9ySJ1W.arkhamnetwork.org.
> ...
>

We have seen huge number of request to this domain today. We have to
drop it at iptables to reduce the load to pdns

iptables -I INPUT -p udp --dport 53 -m string --hex-string
"|0D|arkhamnetwork|03|com" --algo bm -j DROP
iptables -I INPUT -p udp --dport 53 -m string --hex-string
"|0D|arkhamnetwork|03|org" --algo bm -j DROP

Rgds,
Vu.




More information about the Pdns-users mailing list