[Discussion] features (mainly dns)

• Previous message (by thread): [Discussion] features (mainly dns)
• Next message (by thread): [Discussion] Rules Syntax
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Florian Weimer wrote:
> * David Dagon:
> 
>> On Sun, Dec 07, 2008 at 08:59:14AM +0100, Florian Weimer wrote:
>>
>>>>> How do you mean? Loke looking for a client that's making repeated dns
>>>>> queries within the TTL? Maybe poorly coded bots?
>> <snip>
>>
>>> And all UNIX-like clients which do not perform local caching by
>>> default. 8-(
>> I've found that linux hosts can be filtered by keeping state on AAAA
>> lookups, followed by A lookups (glibc has this behavior).
> 
> Nice idea.  But this depends on the application (it has to use
> getaddrinfo) and system configuration (GNU libc must detect some form
> of IPv6 connectivity).
> 
>>   -- Consider filters for RFC suggested limits on NS counts (7 I
>>      believe).
> 
> I don't think such a limit exists at the RFC level.  There are certain
> TLD-specific limits.  As you've mentioned, these are often bypassed my
> serving more NS records in the authority section of responses.  You
> may also need to exclude (e)TLDs and several DNSBLs.
> 
> Multiple A records per NS record are likely suspicious, too (but I
> think you've already mentioned that).

I think the idea of having spamassassin-style scoring could be useful
here. One suspicious (but rfc valid) property of a dns request could
then be ignored, but if there is more suspiciousness than a certain
threshold, alert.

Regards,
Victor

• Previous message (by thread): [Discussion] features (mainly dns)
• Next message (by thread): [Discussion] Rules Syntax
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]