DNS Flood Detector was developed to detect abusive usage levels on high traffic nameservers and to enable quick response in halting (among other things) the use of one's nameserver to facilitate spam. DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a nameserver. The tool may be run in one of two modes, either daemon mode or "bindsnap" mode. In daemon mode, the tool will alarm via syslog. In bindsnap mode, the user is able to get near-real-time stats on usage to aid in more detailed troubleshooting.
|Tags||Internet DNS Networking|
Release Notes: Address filtering options are now available, as are fractional query rates for better precision. This update also fixes several crashes and segfaults that affected overall reliability.
Release Notes: This release adds A6, AAAA, and ANY qtypes. It examines all packets with >=1 qdcount. It will stop processing packets with invalid DNS characters. TCP parsing has been fixed. A '-D' option has been added to dump DNS packets.
Release Notes: A "mark stats" capability was added, which allows periodic logging of aggregate query rates. For example, it can be used to build pretty graphs. Some code cleanup was done on the verbose syslogging code.
Release Notes: This release fixes a buffered output problem in bindsnap mode which made it difficult to direct output to a file, changes the syslog logging priority to "notice" from "info" to keep syslogd on default FreeBSD installations from discarding the messages, and fixes a logging bug encountered at low traffic rates while in "-v -v" mode.
Release Notes: This release adds malloc failure handling, pthread mutex locking, and "-v -v" support to daemon mode. It fixes the alarm reset bug in daemon mode and a segfault problem caused by bogus qtypes.