DNS Query ID Zero Blocking

Problem this snippet solves:

This a few lines of code irule prevents one kind of malform DNS request, which is usually seen in DNS attack - query id zero.

Code :

when RULE_INIT {
    set static::zero_log_accepted_requests 0
    set static::zero_log_dropped_requests 0
    set static::zero_log_malformed_requests 0
}

when CLIENT_ACCEPTED {
    if {![binary scan [UDP::payload] S qid]} {
        if { $static::zero_log_malformed_requests==1 } {
            log local0. "malformed request. dropped. [IP::remote_addr] -> [IP::local_addr]"
        }
        UDP::drop
    } else {
        if {$qid == 0} {
            if { $static::zero_log_dropped_requests==1 } {
                log local0. "zero qid detected. dropped. [IP::remote_addr] -> [IP::local_addr]"
            }
            UDP::drop
        } else {
            if { $static::zero_log_accepted_requests==1 } {
                log local0. "query accepted. [IP::remote_addr] -> [IP::local_addr]"
            }
        }
    }
}
Published Mar 17, 2015
Version 1.0
application delivery
devops
dns
iRules

Was this article helpful?

No CommentsBe the first to comment