Maintained by: NLnet Labs

DGA Attack mitigation

Eduardo Schoedler
Mon Apr 9 23:36:11 CEST 2018


2018-04-09 16:15 GMT-03:00 Paul Vixie via Unbound-users
<unbound-users at unbound.net>:
>
>
> Rainer Duffner via Unbound-users wrote:
>>
>>
>>
>>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users
>>> <unbound-users at unbound.net <mailto:unbound-users at unbound.net>>:
>>>
>>> Im running 20 Unbound servers and around 20% of response are NXDOMAIN,
>>> for queries coming from my clients.
>>
>>
>>
>>
>> Block those IPs that are obviously p4wned until they clean up their PCs?
>
>
> the source addresses are forged. the victims are not unclean in any way.
> this is why rrl exists.

I drop queries in firewall by string.

#/sbin/iptables -A DNS -m string --algo bm --hex-string
'|04|wpad|06|domain|04|name|' --to 255 -j DROP -m comment --comment
"DROP wpad.domain.name"


-- 
Eduardo Schoedler