Once upon a time, Stephane Bortzmeyer <[email protected]> said: > On Fri, Dec 02, 2011 at 11:05:26AM -0600, > Chris Adams <[email protected]> wrote > a message of 30 lines which said: > > > FYI: here's a pcap filter that will match only UDP DNS ANY queries: > > No, only if no EDNS is used in the query (and, in actual attacks, it > is sometimes used, to get a better amplification).
Hmm, I guess I haven't seen any of those (or enough to be a problem). It also doesn't handle TCP requests, but since the source is apparently spoofed, that shouldn't be an issue. > > udp and dst port 53 and udp[10]&0xf8=0 and udp[12:4]=65536 and udp[16:4]=0 > > and udp[udp[4:2]-3]=255 > > Counting from the end of the packet is a clever idea (to avoid parsing > the QNAME) but it fails if there is an additionnal record. I assume > this is why you test ARCOUNT=0 but it makes the filter too > restrictive. It has been a "good enough" solution so far for me. Is it legal to have additional records in a query? Shouldn't ARCOUNT=0 in all queries? -- Chris Adams <[email protected]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
