Python module to ignore query
Eric Luehrsen
ericluehrsen at hotmail.com
Wed May 10 03:56:50 UTC 2017
On 05/09/2017 10:50 PM, Eduardo Schoedler via Unbound-users wrote:
> Hi,
>
> Our unbound servers have been hitted by a ubiquiti virus.
> A lot of nonsense queries, like:
>
> [1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN
> [1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN
> [1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN
> [1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN
> [1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN
> [1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN
> [1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN
>
> No exist ip address like 333.x.x.x, for example.
>
> So, I wrote a python module to filter this questions.
> But the problem with the code below is there a answer with
> RCODE_NXDOMAIN or RCODE_REFUSED to the origin.
>
> if (re.match("([0-9]{3}\.){4}$", name)):
> log_info("filter.py: "+name+" invalid")
> qstate.return_rcode = RCODE_NXDOMAIN
> qstate.ext_state[id] = MODULE_FINISHED
> return True
> else:
> qstate.ext_state[id] = MODULE_WAIT_MODULE
> return True
>
> Is there a way to the module not answer the query?
> No packet generated is the best approach to not generate DNS
> amplification attack, for example.
>
> I need just drop the query and move on.
As a help-the-discussion-along question, is there a way to exercise
something similar to "local-domain: example.com deny" behavior from
within a python module?
More information about the Unbound-users
mailing list