anti
a6b5b1a7f8
_parse_edns_size only extracted the requestor UDP size; every other field in the OPT record (DO bit, EDNS version, extended RCODE, all sub-options) was invisible. Replaced with _parse_opt_record returning a full dict: udp_size, ext_rcode, version, do_bit, z, options[(code, len, data)] NSID request (option code 3) is now detected as fingerprint_probe with probe=edns_nsid and contributes to recon_burst. DO bit, COOKIE (10), and other options are not escalated; udp_size continues to drive amp_probe.
36 KiB
36 KiB