Maintained by: NLnet Labs

Python module to ignore query

Eduardo Schoedler
Wed May 10 04:50:22 CEST 2017


Hi,

Our unbound servers have been hitted by a ubiquiti virus.
A lot of nonsense queries, like:

[1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN
[1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN
[1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN
[1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN
[1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN
[1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN
[1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN

No exist ip address like 333.x.x.x, for example.

So, I wrote a python module to filter this questions.
But the problem with the code below is there a answer with
RCODE_NXDOMAIN or RCODE_REFUSED to the origin.

if (re.match("([0-9]{3}\.){4}$", name)):
    log_info("filter.py: "+name+" invalid")
    qstate.return_rcode = RCODE_NXDOMAIN
    qstate.ext_state[id] = MODULE_FINISHED
    return True
else:
    qstate.ext_state[id] = MODULE_WAIT_MODULE
    return True

Is there a way to the module not answer the query?
No packet generated is the best approach to not generate DNS
amplification attack, for example.

I need just drop the query and move on.

Thank you.


Regards,

-- 
Eduardo Schoedler