Menu
▾
▴
[SSHGuard-users] Adding support for bind/named
|
From: Nico S. <nic...@un...> - 2021-07-28 07:09:55
|
Good morning, I was wondering what you think about adding support for suspicious DNS requests? We have quite a lot of DNS servers that report messages such as Jul 28 08:45:16 router1 named[135105]: client @0x7f13c4158c00 172.117.192.180#3074 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied every few seconds. The reason why this is an attack is that the servers are resolvers for the DC and authoritative for various domains - so internal recursive queries are allowed, external aren't. I think the pattern would be something on the line of named.*client.*\(.*\)#.*denied$ with $1 having the address. Best regards, Nico -- Sustainable and modern Infrastructures by ungleich.ch |
