diff options
author | Bob Aman <bob@sporkmonger.com> | 2017-06-21 11:30:58 -0700 |
---|---|---|
committer | Scott Moser <smoser@brickies.net> | 2017-07-21 13:19:06 -0400 |
commit | 42a7b34a12be7b0c43cfe8b94b397794d3e24c94 (patch) | |
tree | 8ca0d50a2a98ceec818155221e49e1a6b981d64b | |
parent | 7e41b2a773b81452f14a18ec8c4f3316a66d3f5e (diff) | |
download | vyos-cloud-init-42a7b34a12be7b0c43cfe8b94b397794d3e24c94.tar.gz vyos-cloud-init-42a7b34a12be7b0c43cfe8b94b397794d3e24c94.zip |
Drop rand_str() usage in DNS redirection detection
Making lots of random invalid DNS queries interferes with the ability
of security teams to identify malicious or anomalous behavior from DNS
logs. The same goal should be achievable with a consistent query for a
name that is disallowed.
LP: #1088611
-rw-r--r-- | cloudinit/util.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/cloudinit/util.py b/cloudinit/util.py index f570b9d3..ce2c6034 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -1128,14 +1128,14 @@ def is_resolvable(name): we have to append '.'. The top level 'invalid' domain is invalid per RFC. And example.com - should also not exist. The random entry will be resolved inside - the search list. + should also not exist. The '__cloud_init_expected_not_found__' entry will + be resolved inside the search list. """ global _DNS_REDIRECT_IP if _DNS_REDIRECT_IP is None: badips = set() badnames = ("does-not-exist.example.com.", "example.invalid.", - rand_str()) + "__cloud_init_expected_not_found__") badresults = {} for iname in badnames: try: |