CVE-2015-7547 mitigation script, potential problem

classic Classic list List threaded Threaded
1 message Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE-2015-7547 mitigation script, potential problem

Øystein Viggen
Hi,

New poster, long time user here.

On Friday, I enabled the lua-script from
https://gist.github.com/ahupowerdns/0f7de247dd200dea41bf, and today, I
disabled it again.

After adding some extra logging (domain and qtype), I noticed that our
most prevented query was "_nos._tcp.nos-avg.cz.|SRV", which seems to be
used by the AVG Antivirus updater.  I considered whitelisting that
record in the lua-script, but then I noticed that all the other blocked
things were fairly legit looking, too.


This isn't intended as a complaint, as the script certainly does what it
says on the tin.  However, people who deployed the script may consider
monitoring if it breaks anything they care about.


For anyone interested, I changed the logging line like so:

pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes. Query was: "..domain.."|"..qtype)

..and used https://en.wikipedia.org/wiki/List_of_DNS_record_types to
decode the numerical qtype values.


Øystein
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Loading...