[dns-operations] blocking malicious dns traffic

William Taylor williamt at corp.sonic.net
Thu Jul 3 23:41:33 UTC 2014

Here is something I put together to block some malicious  SERVFAILS we
have been seeing coming from exploited customers.
Currently geared towards bind but could by easily adapted to work with
out dns servers.

Basically it listens to the interface for SERVFAIL traffic matching
against a pattern. Once it hits a definable threshold
it will add them to a zone file to be blocked. You could collect stats
from this if you like and add to firewalls or notify your customers, etc.


Let me know what you think.


More information about the dns-operations mailing list