And, in my situation, trying to maintain local zones or iptables rules is a litteral "whack-a-mole" game, you can't humanely do that manually for an extended period of time. It's like, these guys have troves of domains to use and abuse...
However, you can maintain local zone list in unbound automatically fairly easily, we have been doing it for over a year with minimal necessity of manual intervention. If you wish, have a look at the attached perl script.
The only other option is to persuade the users of the compromised machines to clean their systems.
-- Best Regards, Daniel Ryšlink System Administrator Dial Telecom a. s. Křižíkova 36a/237 186 00 Praha 3, Česká Republika Tel.:+420.226204627 [email protected] ----------------------------------------------- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte ----------------------------------------------- On 04/01/2015 05:05 PM, Stephane LAPIE wrote:
On 04/01/2015 04:54 PM, Stephane Bortzmeyer wrote:Manual iptables rules are not maintainable,In my experience, they are, if the attacker does not change the suffix.Just my 2 cents here : The pattern I am seeing on my side does not evolve as fast as one per second, but the attacker does change domains every few hours or so. However, the authoritative servers being hammered as a result do not change that much. (Most domains I am seeing are chinese domains related to online gambling and what not.) And, in my situation, trying to maintain local zones or iptables rules is a litteral "whack-a-mole" game, you can't humanely do that manually for an extended period of time. It's like, these guys have troves of domains to use and abuse... (Things get further tricky when some of these domains are set with wildcard records too) _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
check_recursive_queries_unbound_sanitized.pl
Description: Perl program
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
