[dns-operations] Malware queries: code to detect, block domains and subdomains

Nick Urbanik nick.urbanik at optusnet.com.au
Fri Jun 27 02:25:43 UTC 2014

On 20/06/14 16:07 +1000, Nick Urbanik wrote:
>Our DNS caches are subject to a massive load of queries which resulted
>initially in SERVFAIL.  The pattern is a parent DNS domain, with
>queries for tens of thousands of apparently randomly generated
>subdomains all initially resulting in SERVFAIL.
>I have written code to analyse the query-errors log to detect these
>patterns and blackhole the entire domain automatically.  I can tidy
>the code up and make it freely available if there is sufficient

The code is now available at http://nicku.org/software/#dns-malware-blocker

Feedback welcome.
Nick Urbanik http://nicku.org 808-71011 nick.urbanik at optusnet.com.au
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24  ID: BB9D2C24
I disclaim, therefore I am.

More information about the dns-operations mailing list