[dns-operations] blocking malicious dns traffic
Paul Vixie
paul at redbarn.org
Fri Jul 4 00:27:44 UTC 2014
William Taylor wrote:
> Here is something I put together to block some malicious SERVFAILS we
> have been seeing coming from exploited customers.
> Currently geared towards bind but could by easily adapted to work with
> out dns servers.
this is fun stuff.
>
> Basically it listens to the interface for SERVFAIL traffic matching
> against a pattern. Once it hits a definable threshold
> it will add them to a zone file to be blocked. You could collect stats
> from this if you like and add to firewalls or notify your customers, etc.
>
> https://github.com/willt/dnsbff
>
>
> Let me know what you think.
i think that somewhere well south of a million bad zones into a
deployment, this approach will stall, due to the parsing time on the
bad-zones.conf file. for that reason, i strongly suggest that you recast
this into an RPZ zone maintainance tool. you can learn more about RPZ
here:
<https://kb.isc.org/category/110/0/10/Software-Products/BIND9/Features/DNSRPZ/>,
and here: <https://dnsrpz.info/>. it's currently BIND specific, but
that's a temporary matter.
vixie
More information about the dns-operations
mailing list