No one? Thanks.
Em ter, 9 de mai de 2017 às 23:50, Eduardo Schoedler <[email protected]> escreveu: > Hi, > > Our unbound servers have been hitted by a ubiquiti virus. > A lot of nonsense queries, like: > > [1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN > [1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN > [1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN > [1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN > [1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN > [1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN > [1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN > > No exist ip address like 333.x.x.x, for example. > > So, I wrote a python module to filter this questions. > But the problem with the code below is there a answer with > RCODE_NXDOMAIN or RCODE_REFUSED to the origin. > > if (re.match("([0-9]{3}\.){4}$", name)): > log_info("filter.py: "+name+" invalid") > qstate.return_rcode = RCODE_NXDOMAIN > qstate.ext_state[id] = MODULE_FINISHED > return True > else: > qstate.ext_state[id] = MODULE_WAIT_MODULE > return True > > Is there a way to the module not answer the query? > No packet generated is the best approach to not generate DNS > amplification attack, for example. > > I need just drop the query and move on. > > Thank you. > > > Regards, > > -- > Eduardo Schoedler > -- Eduardo Schoedler
