From 42a7b34a12be7b0c43cfe8b94b397794d3e24c94 Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Wed, 21 Jun 2017 11:30:58 -0700
Subject: Drop rand_str() usage in DNS redirection detection

Making lots of random invalid DNS queries interferes with the ability
of security teams to identify malicious or anomalous behavior from DNS
logs. The same goal should be achievable with a consistent query for a
name that is disallowed.

LP: #1088611
---
 cloudinit/util.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cloudinit/util.py b/cloudinit/util.py
index f570b9d3..ce2c6034 100644
--- a/cloudinit/util.py
+++ b/cloudinit/util.py
@@ -1128,14 +1128,14 @@ def is_resolvable(name):
     we have to append '.'.
 
     The top level 'invalid' domain is invalid per RFC.  And example.com
-    should also not exist.  The random entry will be resolved inside
-    the search list.
+    should also not exist.  The '__cloud_init_expected_not_found__' entry will
+    be resolved inside the search list.
     """
     global _DNS_REDIRECT_IP
     if _DNS_REDIRECT_IP is None:
         badips = set()
         badnames = ("does-not-exist.example.com.", "example.invalid.",
-                    rand_str())
+                    "__cloud_init_expected_not_found__")
         badresults = {}
         for iname in badnames:
             try:
-- 
cgit v1.2.3