summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBob Aman <bob@sporkmonger.com>2017-06-21 11:30:58 -0700
committerScott Moser <smoser@brickies.net>2017-07-21 13:19:06 -0400
commit42a7b34a12be7b0c43cfe8b94b397794d3e24c94 (patch)
tree8ca0d50a2a98ceec818155221e49e1a6b981d64b
parent7e41b2a773b81452f14a18ec8c4f3316a66d3f5e (diff)
downloadvyos-cloud-init-42a7b34a12be7b0c43cfe8b94b397794d3e24c94.tar.gz
vyos-cloud-init-42a7b34a12be7b0c43cfe8b94b397794d3e24c94.zip
Drop rand_str() usage in DNS redirection detection
Making lots of random invalid DNS queries interferes with the ability of security teams to identify malicious or anomalous behavior from DNS logs. The same goal should be achievable with a consistent query for a name that is disallowed. LP: #1088611
-rw-r--r--cloudinit/util.py6
1 files changed, 3 insertions, 3 deletions
diff --git a/cloudinit/util.py b/cloudinit/util.py
index f570b9d3..ce2c6034 100644
--- a/cloudinit/util.py
+++ b/cloudinit/util.py
@@ -1128,14 +1128,14 @@ def is_resolvable(name):
we have to append '.'.
The top level 'invalid' domain is invalid per RFC. And example.com
- should also not exist. The random entry will be resolved inside
- the search list.
+ should also not exist. The '__cloud_init_expected_not_found__' entry will
+ be resolved inside the search list.
"""
global _DNS_REDIRECT_IP
if _DNS_REDIRECT_IP is None:
badips = set()
badnames = ("does-not-exist.example.com.", "example.invalid.",
- rand_str())
+ "__cloud_init_expected_not_found__")
badresults = {}
for iname in badnames:
try: