[dns-operations] "NS .", the attack of the month?

David Dagon dagon at cc.gatech.edu
Sat Jan 24 22:45:13 UTC 2009

On Sat, Jan 24, 2009 at 11:05:40PM +0100, Stephane Bortzmeyer wrote:
> It is still trendy, apparently. As I watch one recursive name server
> (but I see nothing on many others), I see a 2-3 p/s "NS ." queries
> claiming to come from and even from
> (pretending ISPrime).
> Still no perfect solution for it?
> At least dnscap is great to watch it:
> sudo dnscap -i eth0 -w isprime-attack -g -s i -x '^\.$'
> Any way with dnscap to restrict the QTYPE of the query?

I don't see a man page suggestion.  But I think pipes between dnscap
and tcpdump can be used.

The difficulty is that qtype comes after the qname, which can be a
variable length.  But dnscap can also dump binary output to stdout
with the "-w -" argument.

So one might use your expression above to filter for only "." queries,
and then use tcpdump to & for the desired qtype, and then pipe that
output to another dnscap process for easy visual display or further
processing.  I've not tried this, but something like this may be

  sudo dnscap -i eth0 -w -  -s i -x '^\.$'  \
       | tcpdump -r - -w - udp[${OFFSET}] & ${QTYPE} = 0 \
       | dnscap -r - -w isprime-attack -g 2>&1

Now you just need to figure out OFFSET---it will be a fixed number of
bytes since the length of qname is 1 (plus the runlength byte and
terminating bytes); I can't recall off hand.

I believe QTYPE should be '2' for NS.

David Dagon              /"\                          "When cryptography
dagon at cc.gatech.edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."

More information about the dns-operations mailing list