CVE-2015-7547 mitigation script, potential problem

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CVE-2015-7547 mitigation script, potential problem

Øystein Viggen

New poster, long time user here.

On Friday, I enabled the lua-script from, and today, I
disabled it again.

After adding some extra logging (domain and qtype), I noticed that our
most prevented query was "|SRV", which seems to be
used by the AVG Antivirus updater.  I considered whitelisting that
record in the lua-script, but then I noticed that all the other blocked
things were fairly legit looking, too.

This isn't intended as a complaint, as the script certainly does what it
says on the tin.  However, people who deployed the script may consider
monitoring if it breaks anything they care about.

For anyone interested, I changed the logging line like so:

pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes. Query was: "..domain.."|"..qtype)

..and used to
decode the numerical qtype values.

Pdns-users mailing list
[hidden email]