Maintained by: NLnet Labs

Python module to ignore query

Eduardo Schoedler
Tue May 30 09:50:34 CEST 2017


No one?

Thanks.

Em ter, 9 de mai de 2017 às 23:50, Eduardo Schoedler <listas at esds.com.br>
escreveu:

> Hi,
>
> Our unbound servers have been hitted by a ubiquiti virus.
> A lot of nonsense queries, like:
>
> [1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN
> [1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN
> [1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN
> [1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN
> [1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN
> [1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN
> [1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN
>
> No exist ip address like 333.x.x.x, for example.
>
> So, I wrote a python module to filter this questions.
> But the problem with the code below is there a answer with
> RCODE_NXDOMAIN or RCODE_REFUSED to the origin.
>
> if (re.match("([0-9]{3}\.){4}$", name)):
>     log_info("filter.py: "+name+" invalid")
>     qstate.return_rcode = RCODE_NXDOMAIN
>     qstate.ext_state[id] = MODULE_FINISHED
>     return True
> else:
>     qstate.ext_state[id] = MODULE_WAIT_MODULE
>     return True
>
> Is there a way to the module not answer the query?
> No packet generated is the best approach to not generate DNS
> amplification attack, for example.
>
> I need just drop the query and move on.
>
> Thank you.
>
>
> Regards,
>
> --
> Eduardo Schoedler
>
-- 
Eduardo Schoedler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170530/21f6a7ec/attachment-0001.html>