[Pdns-users] Queries .domain. Attack to root server?
Federico Olivieri
lvrfrc87 at gmail.com
Sun Dec 13 15:48:05 UTC 2015
Thanks for the hint.
I wrote and iptables rule but seems not working
iptables -I INPUT 4 -p udp -m udp --dport 53 -m string --hex-string
"|06|domain" --algo bm --to 65535 -m comment --comment ".domain" -j DROP
I think that I need to specify to block all domains with .domain at the end
(a kind of *.domain) Any suggestion?!
Thankyou!!!!
Federico
2015-12-13 15:41 GMT+00:00 Stephane Bortzmeyer <bortzmeyer at nic.fr>:
> On Sun, Dec 13, 2015 at 03:17:04PM +0000,
> Federico Olivieri <lvrfrc87 at gmail.com> wrote
> a message of 131 lines which said:
>
> > I did sniff traffic and I saw some strange queries with .domain at the
> end
> > of the name
>
> Always use tcpdump with -n option... (hint: the last field is the
> port, 53 in digits, domain in letters).
>
> > If I do dig for one of those domains I can see that the query goes
> directly
> > to root server.
>
> Of course, since it searches for the .domain TLD.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20151213/499bc33a/attachment-0001.html>
More information about the Pdns-users
mailing list