[Pdns-users] CVE-2015-7547 mitigation script, potential problem
oystein.viggen at ntnu.no
Mon Feb 22 14:29:30 UTC 2016
New poster, long time user here.
On Friday, I enabled the lua-script from
https://gist.github.com/ahupowerdns/0f7de247dd200dea41bf, and today, I
disabled it again.
After adding some extra logging (domain and qtype), I noticed that our
most prevented query was "_nos._tcp.nos-avg.cz.|SRV", which seems to be
used by the AVG Antivirus updater. I considered whitelisting that
record in the lua-script, but then I noticed that all the other blocked
things were fairly legit looking, too.
This isn't intended as a complaint, as the script certainly does what it
says on the tin. However, people who deployed the script may consider
monitoring if it breaks anything they care about.
For anyone interested, I changed the logging line like so:
pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes. Query was: "..domain.."|"..qtype)
..and used https://en.wikipedia.org/wiki/List_of_DNS_record_types to
decode the numerical qtype values.
More information about the Pdns-users