All, this may be used as a template to protect against DNS NXDOMAIN attacks. The aFlex will dynamically build a table of FQDNs based on observed DNS replies that are ‘NXDOMAIN’. Entries are stored for an hour (3600 seconds). Subsequent requests for these FQDNs are blocked.
when RULE_INIT {
set ::holdtime 3600
\}
when DNS\_RESPONSE \{
set repcode [DNS::header rcode]
set name [DNS::question name]
if \{$repcode equals "NXDOMAIN"\} \{
if \{ [table lookup "blacklist" $name] == ""\} \{
table add "blacklist" $name "blocked" $::holdtime
log local0.3 “Table entry created”
return
\}
if \{ [table lookup "blacklist" $name] != ""\} \{
log local0.3 "A subsequent response for $name was observed within the timeout"
return
\}
\}
\}
when DNS\_REQUEST \{
set req [DNS::question name]
if \{ [table lookup "blacklist" $req] == ""\} \{
log local0.3 "Request $req permitted."
return
\}
if \{ [table lookup "blacklist" $req] != ""\} \{
log local0.3 "Request $req denied."
drop
return
\}
\}