Python module to ignore query
Eduardo Schoedler
listas at esds.com.br
Wed May 10 02:50:22 UTC 2017
Hi,
Our unbound servers have been hitted by a ubiquiti virus.
A lot of nonsense queries, like:
[1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN
[1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN
[1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN
[1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN
[1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN
[1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN
[1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN
No exist ip address like 333.x.x.x, for example.
So, I wrote a python module to filter this questions.
But the problem with the code below is there a answer with
RCODE_NXDOMAIN or RCODE_REFUSED to the origin.
if (re.match("([0-9]{3}\.){4}$", name)):
log_info("filter.py: "+name+" invalid")
qstate.return_rcode = RCODE_NXDOMAIN
qstate.ext_state[id] = MODULE_FINISHED
return True
else:
qstate.ext_state[id] = MODULE_WAIT_MODULE
return True
Is there a way to the module not answer the query?
No packet generated is the best approach to not generate DNS
amplification attack, for example.
I need just drop the query and move on.
Thank you.
Regards,
--
Eduardo Schoedler
More information about the Unbound-users
mailing list