[dns-operations] blocking malicious dns traffic

Paul Vixie paul at redbarn.org
Fri Jul 4 00:27:44 UTC 2014

William Taylor wrote:
> Here is something I put together to block some malicious  SERVFAILS we
> have been seeing coming from exploited customers.
> Currently geared towards bind but could by easily adapted to work with
> out dns servers.

this is fun stuff.

> Basically it listens to the interface for SERVFAIL traffic matching
> against a pattern. Once it hits a definable threshold
> it will add them to a zone file to be blocked. You could collect stats
> from this if you like and add to firewalls or notify your customers, etc.
> https://github.com/willt/dnsbff
> Let me know what you think.

i think that somewhere well south of a million bad zones into a
deployment, this approach will stall, due to the parsing time on the
bad-zones.conf file. for that reason, i strongly suggest that you recast
this into an RPZ zone maintainance tool. you can learn more about RPZ
and here: <https://dnsrpz.info/>. it's currently BIND specific, but
that's a temporary matter.


More information about the dns-operations mailing list