We have been seeing this kind of traffic in a lot of places. The
auth-server method works.
Also attached it a implementation of drop-tld
drop-tld: <yes/no>
Default no. Drop exactly 2 label queries from client(. being one label).
This is generally useful because we don't see many uses for a client
query asking for TLD information.
On 10/21/19 1:26 PM, Eduardo Schoedler via Unbound-users wrote:
> You can cache root zone:
>
> # Authority zones
> # The data for these zones is kept locally, from a file or downloaded.
> # The data can be served to downstream clients, or used instead of the
> # upstream (which saves a lookup to the upstream). The first example
> # has a copy of the root for local usage. The second serves example.org
> # authoritatively. zonefile: reads from file (and writes to it if you also
> # download it), master: fetches with AXFR and IXFR, or url to zonefile.
> # With allow-notify: you can give additional (apart from masters) sources of
> # notifies.
> auth-zone:
> name: "."
> for-downstream: no
> for-upstream: yes
> fallback-enabled: yes
> master: e.root-servers.net
> master: f.root-servers.net
> master: b.root-servers.net
> master: c.root-servers.net
> master: g.root-servers.net
> master: k.root-servers.net
> zonefile: "/etc/unbound/root.zone"
>
>
>
>
> Em seg, 21 de out de 2019 às 13:01, Joe Abley via Unbound-users
> <[email protected]> escreveu:
>> Hi,
>>
>> RFC 8198, which was implemented in Unbound 1.7.0.
>>
>> https://nlnetlabs.nl/news/2018/Mar/15/unbound-1.7.0-released/
>>
>>
>> Joe
>>
>>> On 21 Oct 2019, at 11:57, B. Cook via Unbound-users
>>> <[email protected]> wrote:
>>>
>>> is there a way to address these locally?
>>>
>>> Without passing them to an upstream recursor?
>>>
>>> 10.20.8.29 is unbound and these are logs from dns-over-http client (aur
>>> ports)
>>>
>>> 10.20.8.29:15020 - - [21/Oct/2019:11:49:13 -0400] "hbkuojyles. IN A"
>>> 10.20.8.29:13033 - - [21/Oct/2019:11:49:13 -0400] "fgtfkkdxgwfa. IN A"
>>> 10.20.8.29:56696 - - [21/Oct/2019:11:49:13 -0400] "hbkuojyles. IN A"
>>> 10.20.8.29:62727 - - [21/Oct/2019:11:49:13 -0400] "xkmnguqpjx. IN A"
>>> 10.20.8.29:16633 - - [21/Oct/2019:11:49:13 -0400] "xkmnguqpjx. IN A"
>>> 10.20.8.29:24331 - - [21/Oct/2019:11:49:13 -0400] "xkmnguqpjx. IN A"
>>> 10.20.8.29:35893 - - [21/Oct/2019:11:49:13 -0400] "gmjisoen. IN A"
>>> 10.20.8.29:31220 - - [21/Oct/2019:11:49:13 -0400] "rxdqenbginmvnm. IN A"
>>> 10.20.8.29:10867 - - [21/Oct/2019:11:49:14 -0400] "esfvwynlyoxgox. IN A"
>>>
>>> Is there someway to limit these?
>>>
>>> the randomly come in bursts from clients doing various checking..
>>>
>>> 10.20.8.29:59511 - - [21/Oct/2019:11:54:40 -0400] "uppkncjqrg. IN A"
>>> 10.20.8.29:29935 - - [21/Oct/2019:11:54:40 -0400] "sfedxwtllfx. IN A"
>>> 10.20.8.29:37957 - - [21/Oct/2019:11:54:40 -0400] "ewskqfu. IN A"
>>> 10.20.8.29:6215 - - [21/Oct/2019:11:54:40 -0400] "cfrwvnynxfquzr. IN A"
>>> 10.20.8.29:53225 - - [21/Oct/2019:11:54:40 -0400] "ovtxiaeztpaoxj. IN A"
>>> 10.20.8.29:9016 - - [21/Oct/2019:11:54:40 -0400] "kmavvjppntn. IN A"
>>> 10.20.8.29:11245 - - [21/Oct/2019:11:54:40 -0400] "fkshwbgafpp. IN A"
>>> 10.20.8.29:60053 - - [21/Oct/2019:11:54:40 -0400] "iqkjgvysb. IN A"
>>>
>>> Thanks in advance.
>>>
>>> --
>>>
>>> This message may contain confidential information and is intended only for
>>> the individual(s) named. If you are not an intended recipient you are not
>>> authorized to disseminate, distribute or copy this e-mail. Please notify
>>> the sender immediately if you have received this e-mail by mistake and
>>> delete this e-mail from your system.
>
diff --git a/daemon/worker.c b/daemon/worker.c
index 263fcdd..f787b70 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1213,6 +1213,15 @@ worker_handle_request(struct comm_point* c, void* arg,
int error,
addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
}
+
+ if(worker->env.cfg->drop_tld) {
+ int lab = dname_count_labels(qinfo.qname);
+ if (lab == 2) {
+ comm_point_drop_reply(repinfo);
+ verbose(VERB_ALGO, "Dropping one label query.");
+ return 0;
+ }
+ }
if(qinfo.qtype == LDNS_RR_TYPE_AXFR ||
qinfo.qtype == LDNS_RR_TYPE_IXFR) {
verbose(VERB_ALGO, "worker request: refused zone transfer.");
diff --git a/util/config_file.h b/util/config_file.h
index b3ef930..2791541 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -274,6 +274,8 @@ struct config_file {
int prefetch_key;
/** deny queries of type ANY with an empty answer */
int deny_any;
+ /** Drop TLD queries from clients **/
+ int drop_tld;
/** chrootdir, if not "" or chroot will be done */
char* chrootdir;
diff --git a/util/configlexer.lex b/util/configlexer.lex
index a86ddf5..9bbedbb 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -299,6 +299,7 @@ private-domain{COLON} { YDVAR(1,
VAR_PRIVATE_DOMAIN) }
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
prefetch{COLON} { YDVAR(1, VAR_PREFETCH) }
deny-any{COLON} { YDVAR(1, VAR_DENY_ANY) }
+drop-tld{COLON} { YDVAR(1, VAR_DROP_TLD) }
stub-zone{COLON} { YDVAR(0, VAR_STUB_ZONE) }
name{COLON} { YDVAR(1, VAR_NAME) }
stub-addr{COLON} { YDVAR(1, VAR_STUB_ADDR) }
diff --git a/util/configparser.y b/util/configparser.y
index 10227a2..567d68e 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -164,6 +164,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
+%token VAR_DROP_TLD
%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
%token VAR_TLS_SESSION_TICKET_KEYS
@@ -266,6 +267,7 @@ content_server: server_num_threads | server_verbosity |
server_port |
server_tls_cert_bundle | server_tls_additional_port | server_low_rtt |
server_fast_server_permil | server_fast_server_num |
server_tls_win_cert |
server_tcp_connection_limit | server_log_servfail | server_deny_any |
+ server_drop_tld |
server_unknown_server_time_limit | server_log_tag_queryreply |
server_stream_wait_size | server_tls_ciphers |
server_tls_ciphersuites | server_tls_session_ticket_keys
@@ -1466,6 +1468,16 @@ server_deny_any: VAR_DENY_ANY STRING_ARG
free($2);
}
;
+
+server_drop_tld: VAR_DROP_TLD STRING_ARG
+ {
+ OUTYY(("P(server_drop_tld:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->drop_tld = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG
{
OUTYY(("P(server_unwanted_reply_threshold:%s)\n", $2));
