[Pdns-users] Queries .domain. Attack to root server?

Federico Olivieri lvrfrc87 at gmail.com
Sun Dec 13 15:48:05 UTC 2015

Thanks for the hint.
I wrote and iptables rule but seems not working

iptables -I INPUT 4 -p udp -m udp --dport 53 -m string --hex-string
"|06|domain" --algo bm --to 65535 -m comment --comment ".domain" -j DROP

I think that I need to specify to block all domains with .domain at the end
(a kind of *.domain) Any suggestion?!



2015-12-13 15:41 GMT+00:00 Stephane Bortzmeyer <bortzmeyer at nic.fr>:

> On Sun, Dec 13, 2015 at 03:17:04PM +0000,
>  Federico Olivieri <lvrfrc87 at gmail.com> wrote
>  a message of 131 lines which said:
> > I did sniff traffic and I saw some strange queries with .domain at the
> end
> > of the name
> Always use tcpdump with -n option... (hint: the last field is the
> port, 53 in digits, domain in letters).
> > If I do dig for one of those domains I can see that the query goes
> directly
> > to root server.
> Of course, since it searches for the .domain TLD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20151213/499bc33a/attachment-0001.html>

More information about the Pdns-users mailing list