[Pdns-users] CVE-2015-7547 mitigation script, potential problem

Øystein Viggen oystein.viggen at ntnu.no
Mon Feb 22 14:29:30 UTC 2016


New poster, long time user here.

On Friday, I enabled the lua-script from
https://gist.github.com/ahupowerdns/0f7de247dd200dea41bf, and today, I
disabled it again.

After adding some extra logging (domain and qtype), I noticed that our
most prevented query was "_nos._tcp.nos-avg.cz.|SRV", which seems to be
used by the AVG Antivirus updater.  I considered whitelisting that
record in the lua-script, but then I noticed that all the other blocked
things were fairly legit looking, too.

This isn't intended as a complaint, as the script certainly does what it
says on the tin.  However, people who deployed the script may consider
monitoring if it breaks anything they care about.

For anyone interested, I changed the logging line like so:

pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes. Query was: "..domain.."|"..qtype)

..and used https://en.wikipedia.org/wiki/List_of_DNS_record_types to
decode the numerical qtype values.


More information about the Pdns-users mailing list