OK, so a network with no mail servers (residential/SMB relying on WebMail) it may not be an issue. Is blocking TXT queries possible?
I found this: "Once the initial DNS response is received by the malware, it then iterates to the next subdomain which is 'mail'. The malware uses this domain in another DNS TXT record query to attempt to retrieve the Stage 4 payload associated with this infection process. The response to this DNS request results in the transmission of the fourth stage malware, stored within the TXT record as displayed in Figures 10 and 11. Due to the size of the Stage 4 payload, DNS makes use of TCP for this transaction. " here: http://blog.talosintelligence.com/2017/03/dnsmessenger.html I have previously blocked TCP port 53 at my firewall (Untangle NGFW), and have not observed an ill effect. OpenDNS (Cisco Umbrella) also has the target domains blocked at this time. My dnsmasq instance is pointed there for filtering my home Internet. This threat appears to be extinguished pretty well, anyway. regards, Jim A. On Mon, Mar 6, 2017 at 3:47 PM, Kurt H Maier <k...@sciops.net> wrote: > On Mon, Mar 06, 2017 at 03:21:53PM -0500, Jim Alles wrote: >> >> Can / should dnsmasq be used to block DNS TXT record retrieval? > > Blocking TXT queries wholesale will stop many SPF records from getting > through, which can interfere with email delivery. > > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss