[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Re: Python module to ignore query
From: Eduardo Schoedler via Unbound-users <unbound-users () unbound ! net>
Date: 2017-05-30 7:50:34
Message-ID: CAHf3uWwRF0TU50LQ3Vz1KOsm9sNdUoFmeP5WMt_+TM7YKBGLag () mail ! gmail ! com
[Download RAW message or body]
No one?
Thanks.
Em ter, 9 de mai de 2017 Ã s 23:50, Eduardo Schoedler <listas@esds.com.br>
escreveu:
> Hi,
>
> Our unbound servers have been hitted by a ubiquiti virus.
> A lot of nonsense queries, like:
>
> [1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN
> [1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN
> [1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN
> [1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN
> [1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN
> [1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN
> [1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN
>
> No exist ip address like 333.x.x.x, for example.
>
> So, I wrote a python module to filter this questions.
> But the problem with the code below is there a answer with
> RCODE_NXDOMAIN or RCODE_REFUSED to the origin.
>
> if (re.match("([0-9]{3}\.){4}$", name)):
> log_info("filter.py: "+name+" invalid")
> qstate.return_rcode = RCODE_NXDOMAIN
> qstate.ext_state[id] = MODULE_FINISHED
> return True
> else:
> qstate.ext_state[id] = MODULE_WAIT_MODULE
> return True
>
> Is there a way to the module not answer the query?
> No packet generated is the best approach to not generate DNS
> amplification attack, for example.
>
> I need just drop the query and move on.
>
> Thank you.
>
>
> Regards,
>
> --
> Eduardo Schoedler
>
--
Eduardo Schoedler
[Attachment #3 (text/html)]
<div>No one?</div><div><br></div><div>Thanks. </div><div><br><div \
class="gmail_quote"><div>Em ter, 9 de mai de 2017 Ã s 23:50, Eduardo Schoedler <<a \
href="mailto:listas@esds.com.br">listas@esds.com.br</a>> \
escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br> <br>
Our unbound servers have been hitted by a ubiquiti virus.<br>
A lot of nonsense queries, like:<br>
<br>
[1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN<br>
[1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN<br>
[1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN<br>
[1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN<br>
[1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN<br>
[1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN<br>
[1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN<br>
<br>
No exist ip address like 333.x.x.x, for example.<br>
<br>
So, I wrote a python module to filter this questions.<br>
But the problem with the code below is there a answer with<br>
RCODE_NXDOMAIN or RCODE_REFUSED to the origin.<br>
<br>
if (re.match("([0-9]{3}\.){4}$", name)):<br>
log_info("filter.py: "+name+" invalid")<br>
qstate.return_rcode = RCODE_NXDOMAIN<br>
qstate.ext_state[id] = MODULE_FINISHED<br>
return True<br>
else:<br>
qstate.ext_state[id] = MODULE_WAIT_MODULE<br>
return True<br>
<br>
Is there a way to the module not answer the query?<br>
No packet generated is the best approach to not generate DNS<br>
amplification attack, for example.<br>
<br>
I need just drop the query and move on.<br>
<br>
Thank you.<br>
<br>
<br>
Regards,<br>
<br>
--<br>
Eduardo Schoedler<br>
</blockquote></div></div><div dir="ltr">-- <br></div><div \
data-smartmail="gmail_signature">Eduardo Schoedler</div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic