Re: [dns-operations] Malware queries: code to detect, block domains and subdomains

Nick Urbanik Thu, 26 Jun 2014 19:45:07 -0700

On 20/06/14 16:07 +1000, Nick Urbanik wrote:

Our DNS caches are subject to a massive load of queries which resulted
initially in SERVFAIL.  The pattern is a parent DNS domain, with
queries for tens of thousands of apparently randomly generated
subdomains all initially resulting in SERVFAIL.


I have written code to analyse the query-errors log to detect these
patterns and blackhole the entire domain automatically.  I can tidy
the code up and make it freely available if there is sufficient
interest.


The code is now available at http://nicku.org/software/#dns-malware-blocker

Feedback welcome.
--
Nick Urbanik http://nicku.org 808-71011 [email protected]
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24  ID: BB9D2C24
I disclaim, therefore I am.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Malware queries: code to detect, block domains and subdomains

Reply via email to