starred/hickory-dns

Fork 0

mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 19:25:56 +03:00

[GH-ISSUE #1525] Log format to write fail2ban rules #694

New issue

Closed

opened 2026-03-15 23:50:24 +03:00 by kerem · 4 comments

kerem commented

2026-03-15 23:50:24 +03:00

Owner

Originally created by @williamdes on GitHub (Jul 19, 2021).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1525

Is your feature request related to a problem? Please describe.

The pizzaseo is filling my logs and wasting performance, I need to have a better way to have a log format.
Now I use --debug to have the Ip address printed out but it is not practical because it is not on the same line as the request

https://www.teaparty.net/technotes/dns-fail2ban.html

Describe the solution you'd like

Custom log format, or format %type %name %ip

Describe alternatives you've considered
~~Writing a multi line rule~~

[Init]
maxlines = 2

[Definition]
failregex = ^.*received udp request from: <HOST>:[0-9]+\n.*name: pizzaseo\.com\. .*$
ignoreregex =

Additional context
The pizzaseo attack is one you can Google about, my server I recently started is now filled with the requests 24/7

2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127341:DEBUG:trust_dns_server::server::server_future:76:received udp request from: 37.210.110.34:6672
2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127404:INFO:trust_dns_server::server::server_future:594:request: 1 type: Query op_code: Query dnssec: false name: pizzaseo.com. type: RRSIG class: IN
2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127416:DEBUG:trust_dns_server::authority::catalog:131:query received: 1
2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127424:DEBUG:trust_dns_server::authority::catalog:379:searching authorities for: pizzaseo.com.
2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127438:DEBUG:trust_dns_server::authority::catalog:379:searching authorities for: com.
2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127446:DEBUG:trust_dns_server::authority::catalog:379:searching authorities for: .
2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127458:INFO:trust_dns_server::server::response_handler:49:response: 1 response_code: 3

Originally created by @williamdes on GitHub (Jul 19, 2021). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1525 **Is your feature request related to a problem? Please describe.** The pizzaseo is filling my logs and wasting performance, I need to have a better way to have a log format. Now I use ```--debug``` to have the Ip address printed out but it is not practical because it is not on the same line as the request https://www.teaparty.net/technotes/dns-fail2ban.html **Describe the solution you'd like** Custom log format, or format ```%type %name %ip``` **Describe alternatives you've considered** ~~Writing a multi line rule~~ ``` [Init] maxlines = 2 [Definition] failregex = ^.*received udp request from: <HOST>:[0-9]+\n.*name: pizzaseo\.com\. .*$ ignoreregex = ``` **Additional context** The pizzaseo attack is one you can Google about, my server I recently started is now filled with the requests 24/7 ``` 2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127341:DEBUG:trust_dns_server::server::server_future:76:received udp request from: 37.210.110.34:6672 2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127404:INFO:trust_dns_server::server::server_future:594:request: 1 type: Query op_code: Query dnssec: false name: pizzaseo.com. type: RRSIG class: IN 2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127416:DEBUG:trust_dns_server::authority::catalog:131:query received: 1 2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127424:DEBUG:trust_dns_server::authority::catalog:379:searching authorities for: pizzaseo.com. 2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127438:DEBUG:trust_dns_server::authority::catalog:379:searching authorities for: com. 2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127446:DEBUG:trust_dns_server::authority::catalog:379:searching authorities for: . 2021-07-19T13:30:19+00:00 localhost trust-dns[943029]: 1626701419.127458:INFO:trust_dns_server::server::response_handler:49:response: 1 response_code: 3 ```

kerem

2026-03-15 23:50:24 +03:00

closed this issue
added the
enhance

crate:server

ops
labels

kerem commented

2026-03-15 23:50:40 +03:00

Author

Owner

@williamdes commented on GitHub (Aug 30, 2021):

Hi @bluejekyll

What do you think about this one ?

@williamdes commented on GitHub (Aug 30, 2021): Hi @bluejekyll What do you think about this one ?

kerem commented

2026-03-15 23:50:45 +03:00

Author

Owner

@bluejekyll commented on GitHub (Aug 30, 2021):

This sounds like a good feature. I'll need to review the logs and see where this can be extracted to make sure we get the information you're interested in.

@bluejekyll commented on GitHub (Aug 30, 2021): This sounds like a good feature. I'll need to review the logs and see where this can be extracted to make sure we get the information you're interested in.

kerem commented

2026-03-15 23:50:50 +03:00

Author

Owner

@williamdes commented on GitHub (Aug 30, 2021):

This sounds like a good feature. I'll need to review the logs and see where this can be extracted to make sure we get the information you're interested in.

Thanks, let me know if you need some testing 🚀
The pizzaseo attack is well known and a big pain ..

Needed:

unique identifier of the request (type, query)
IP + PORT (not sure if port is useful but anyway)

@williamdes commented on GitHub (Aug 30, 2021): > This sounds like a good feature. I'll need to review the logs and see where this can be extracted to make sure we get the information you're interested in. Thanks, let me know if you need some testing 🚀 The pizzaseo attack is well known and a big pain .. Needed: - unique identifier of the request (type, query) - IP + PORT (not sure if port is useful but anyway)

kerem commented

2026-03-15 23:50:55 +03:00

Author

Owner

@bluejekyll commented on GitHub (Sep 3, 2021):

Ok, looking at this, I think there are two things. I think we should create a blocklist for query's that would possibly allow for blocking of malicious queries. For this issue though, I will create a simplified log line for this.

@bluejekyll commented on GitHub (Sep 3, 2021): Ok, looking at this, I think there are two things. I think we should create a blocklist for query's that would possibly allow for blocking of malicious queries. For this issue though, I will create a simplified log line for this.

kerem referenced this issue

2026-03-16 02:15:58 +03:00

[PR #694] [CLOSED] Bump backtrace from 0.3.13 to 0.3.14 #1611