> In addition to Nick Urbanik's work, which is log file based, we've also > provided some tooling to detect the originators and domains in the recent > flood of malicious DNS traffic based on PCAP files. > > >>From our mailing list post to pdns-users yesterday: > > "Secondly, the botnet mitigation code in Recursor 3.6.0 is holding up well, > but we still see A Lot of malicious DNS traffic. To determine exactly which > users are attacking your recursor with such traffic, we've enhanced > 'dnsscope' (one of our DNS analysis tools) with the --servfail-tree option. > This option generates a per-domain suffix list of IP addresses sending > servfail-generating traffic. > > A provisional document for how to benefit from --servfail-tree and use it to > configure bulk IP blocking based on ipset can be found on: > > https://gist.github.com/ahupowerdns/53c9ec191f9b32803392 > > This also includes links on where to download binary packages of dnsscope. > Note by the way that the instructions are not PowerDNS specific, and will > also help you protect other nameservers." > > The output of the tool is, like Nick's work, a list of domain names and > additionally the set of IP addresses sending traffic to those domains.
Is dnsscope available for other OSes, e.g. FreeBSD? Steinar Haug, AS 2116 _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
