DGA Attack mitigation
listas at esds.com.br
Mon Apr 9 21:36:11 UTC 2018
2018-04-09 16:15 GMT-03:00 Paul Vixie via Unbound-users
<unbound-users at unbound.net>:
> Rainer Duffner via Unbound-users wrote:
>>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users
>>> <unbound-users at unbound.net <mailto:unbound-users at unbound.net>>:
>>> Im running 20 Unbound servers and around 20% of response are NXDOMAIN,
>>> for queries coming from my clients.
>> Block those IPs that are obviously p4wned until they clean up their PCs?
> the source addresses are forged. the victims are not unclean in any way.
> this is why rrl exists.
I drop queries in firewall by string.
#/sbin/iptables -A DNS -m string --algo bm --hex-string
'|04|wpad|06|domain|04|name|' --to 255 -j DROP -m comment --comment
More information about the Unbound-users