Malicious-DNS

[Tony Finch]

MEjaz <mejaz at cyberia.net.sa> wrote:
>
> If I enabled the system performs will slow down?

Depends on how much load your servers are under and what their capacity
is.

An alternative to query logs, when you are searching for a known query
name, is to use tcpdump. It's a tedious and fiddly to convert the name to
DNS wire format and then into a pcap filter expression, so I have a little
script to do that (quoted below after my .sig). The command you want is
like:

tcpdump -np udp port 53 and '(' udp[20] == 8 and udp[21] == 118 and udp[22] == 105 and udp[23] == 116 and udp[24] == 97 and udp[25] == 109 and udp[26] == 105 and udp[27] == 110 and udp[28] == 99 and udp[29] == 3 and udp[30] == 112 and udp[31] == 114 and udp[32] == 111 ')'

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Southeast Iceland: Northerly 6 to gale 8, veering northeasterly 5 to 7. Rough
or very rough. Rain or wintry showers. Good, occasionally poor.


#!/usr/bin/perl

use warnings;
use strict;

use Net::DNS::DomainName;

die "usage: $0 <domain-name>\n"
    unless @ARGV == 1;

my $text = shift;
my $wire = new Net::DNS::DomainName($text)->canonical;

my @wire = unpack 'C*', $wire;

pop @wire unless $text =~ m{\.$};

printf "'(' %s ')'\n",
    join ' and ',
    map { sprintf "udp[%d] == %d",
              20 + $_, $wire[$_] }
    0 .. $#wire;
#!/usr/bin/perl

use warnings;
use strict;

die "usage: tcpdump-qname.pl <dns-label>\n"
    unless @ARGV == 1;

my $name = shift;

my @name = unpack 'C*', $name;

printf "%s\n", join ', ', @name;