[dns-operations] dnstop 'refused' filter

Seth Hall hall.692 at osu.edu
Fri Jan 30 17:51:54 UTC 2009

On Jan 30, 2009, at 7:06 AM, Marco Davids wrote:

> I'd be very interested in a filter that will trigger on NXDOMAIN
> responses for MX queries.

If you're interested in getting your feet wet with a different tool,  
here's a short script for the Bro intrusion detection system (http://www.bro-ids.org 
) that accomplishes this.

@load dns
event dns_query_reply(c: connection, msg: dns_msg, query: string,  
qtype: count, qclass: count)
	if ( query_types[qtype] == "MX" &&
	     base_error[msg$rcode] == "NXDOMAIN" )
		print fmt("MX query with NXDOMAIN reply: %s %s", id_string(c$id),  


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the dns-operations mailing list