[dns-operations] "NS .", the attack of the month?

Robert Edmonds edmonds at gtisc.gatech.edu
Sun Jan 25 03:04:33 UTC 2009


Jelte Jansen wrote:
> Jelte Jansen wrote:
> > Stephane Bortzmeyer wrote:
> >> At least dnscap is great to watch it:
> > ~> sudo tcpdump port 53 -w - | ldns-dpa -f 'qtype=NS&qr=0' -sf | grep From:
> 
> err, it's getting late, that of course does not filter on '.' queries.
> 
> The next version will have a qname filter function, available in the development
> version as of three minutes ago;
> 
> ~> time sudo tcpdump port 53 -w - | ldns-dpa -f 'qname=.&qtype=NS&qr=0' -sf |
> grep From:

ncaptool as of 1.5.0 (see changes attached) supports this directly, e.g.

    # ncaptool -i em0 -mg - dns qname=. qtype=ns flags\#qr
    [17 pcap if em0] 2009-01-25 02:58:21.368781000 [00000000 00000000] \
            [216.27.162.2].41245 [192.5.5.241].53 udp \
            dns QUERY,NOERROR,39504 \
            1 .,IN,NS 0 0 0

ftp://ftp.isc.org/isc/ncap/ncap-1.5.0.tar.gz

-- 
Robert Edmonds
edmonds at gtisc.gatech.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ncap_150_qname.diff
Type: text/x-diff
Size: 1884 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090124/027a33a2/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ncap_150_qtype.diff
Type: text/x-diff
Size: 4092 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090124/027a33a2/attachment-0001.diff>


More information about the dns-operations mailing list