[dns-operations] Malware queries: code to detect, block domains and subdomains
Nick Urbanik
nick.urbanik at optusnet.com.au
Fri Jun 27 02:25:43 UTC 2014
On 20/06/14 16:07 +1000, Nick Urbanik wrote:
>Our DNS caches are subject to a massive load of queries which resulted
>initially in SERVFAIL. The pattern is a parent DNS domain, with
>queries for tens of thousands of apparently randomly generated
>subdomains all initially resulting in SERVFAIL.
>
>I have written code to analyse the query-errors log to detect these
>patterns and blackhole the entire domain automatically. I can tidy
>the code up and make it freely available if there is sufficient
>interest.
The code is now available at http://nicku.org/software/#dns-malware-blocker
Feedback welcome.
--
Nick Urbanik http://nicku.org 808-71011 nick.urbanik at optusnet.com.au
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
I disclaim, therefore I am.
More information about the dns-operations
mailing list