anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(dns): detect CLASS=ANY queries as fingerprint_probe

Browse Source 
qclass=255 in a standard query is unusual enough to be a fingerprinting probe
(fpdns, various scanner scripts).  Previously it was logged as a plain query
with qclass=ANY in the event field; now it emits fingerprint_probe with
probe=qclass_any and returns REFUSED — consistent with how we treat other
probe types.  Contributes to recon_burst.
This commit is contained in:
anti
2026-05-21 21:16:47 -04:00
parent 521d77b28f
commit 35159419bb
2 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
decnet/templates/dns/server.py
View File

@@ -715,6 +715,16 @@ def _handle(data: bytes, src_ip: str, src_port: int, transport: str) -> bytes |
return _chaos_txt_response(qid, rd, qname, answer_text)
return _refused_response(qid, rd, qname, qtype, qclass)
# ── CLASS=ANY fingerprint probe ────────────────────────────────────────
if qclass == CLASS_ANY:
_log(
"fingerprint_probe", severity=4,
src=src_ip, src_port=src_port, transport=transport,
probe="qclass_any", qname=qname.rstrip("."), qtype=qtype_name,
)
_note_recon_event(src_ip, "fingerprint_probe")
return _refused_response(qid, rd, qname, qtype, qclass)
# ── Classify amp / tunneling ───────────────────────────────────────────
is_amp = qtype == TYPE_ANY or (edns_size is not None and edns_size > 1232)
is_tunnel = _is_tunneling(qname, qtype, src_ip)