Python module to ignore query

Hi,

Our unbound servers have been hitted by a ubiquiti virus.
A lot of nonsense queries, like:

[1494383886] unbound[58166:3] info: x.x.x.x 333.167.145.065. A IN
[1494383886] unbound[58166:2] info: x.x.x.x 367.054.004.010. A IN
[1494383886] unbound[58166:1] info: x.x.x.x 277.211.363.004. A IN
[1494383886] unbound[58166:6] info: x.x.x.x 367.046.375.366. AAAA IN
[1494383886] unbound[58166:6] info: x.x.x.x 367.250.054.045. A IN
[1494383886] unbound[58166:0] info: x.x.x.x 345.036.325.173. A IN
[1494383886] unbound[58166:1] info: x.x.x.x 354.316.064.332. AAAA IN

No exist ip address like 333.x.x.x, for example.

So, I wrote a python module to filter this questions.
But the problem with the code below is there a answer with
RCODE_NXDOMAIN or RCODE_REFUSED to the origin.

if (re.match("([0-9]{3}\.){4}$", name)):
    log_info("filter.py: "+name+" invalid")
    qstate.return_rcode = RCODE_NXDOMAIN
    qstate.ext_state[id] = MODULE_FINISHED
    return True
else:
    qstate.ext_state[id] = MODULE_WAIT_MODULE
    return True

Is there a way to the module not answer the query?
No packet generated is the best approach to not generate DNS
amplification attack, for example.

I need just drop the query and move on.

Thank you.

Regards,

As a help-the-discussion-along question, is there a way to exercise
something similar to "local-domain: example.com deny" behavior from
within a python module?

Hi Eric,

I think you can call python module after iterator. In the module you can test the data response presence. But, if not, you have the same problem of mine, to not send an answer.

But is that wise? If this malware ends up sending the DNS query
to a legitimate system DNS function, then such a DNS function
will retry the query a number of times to all the DNS resolvers
configured on the client. So you are actually making the problem
worse.

Filtering a DNS query on a recursor is almost never the right solution.

Paul

No one?

Thanks.