Is advisable block based on tcpdump Refused output?

postcd

Member
Joined
Jul 8, 2017
Messages
37
Reaction score
3
Credits
89
Hello,

the DNS server can log denied DNS queries and i can use fail2ban or configserver firewall to ban IPs with excessive denied log entries, but my CentOS 6 log file (/var/log/messages) is 2GB for last around 72 hours thanks to denied queries. It is not attack. So i thought if i can disable logging of these DNS denied queries and instead monitor tcpdump output for refused queries and ban IPs with too many refused. What do you think? Is that actually possible and wise?

tcpdump -nn -vv net myserverip and port 53|grep Refused
myserverip.53 > someip1.18870: [udp sum ok] 39049 Refused- q: A? domain1.com. 0/0/1 ar: . OPT UDPsize=4096 OK (41)
myserverip.53 > someip2.28663: [udp sum ok] 52357 Refused- q: A? domain2.com. 0/0/1 ar: . OPT UDPsize=4096 OK (40)

Is there any already made solution that filter tcpdump output for blocking?
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online


Top