Handle Google DNS SERVFAIL correctly in Quad9 detector#3196
Handle Google DNS SERVFAIL correctly in Quad9 detector#3196mlodic merged 4 commits intointelowlproject:developfrom
Conversation
| if not quad9_answer: | ||
| # Google dns request | ||
| google_answer = self._google_dns_query(observable) | ||
| # To handle dns server internal error |
| data = google_response.json() | ||
| status = data.get("Status") | ||
| # the DNS server encountered an internal error | ||
| if status == 2: |
There was a problem hiding this comment.
flake gave error status unused so I instead did this
data = google_response.json()
# the DNS server encountered an internal error
if data.get("Status") == 2:
return None| return malicious_detector_response( | ||
| self.observable_name, | ||
| False, | ||
| note="inconclusive (google dns servfail)", |
There was a problem hiding this comment.
you have to populate the predefined "errors" key in the final report of the analyzer isntead of this. Also, you should add a log warning message.
| data = google_response.json() | ||
| status = data.get("Status") | ||
| # the DNS server encountered an internal error | ||
| if status == 2: |
There was a problem hiding this comment.
also add a wanring message and add the error in the "errors" key
There was a problem hiding this comment.
done
if google_answer is None:
logger.warning(
f"Inconclusive result for {observable}: Google DNS SERVFAIL (Status 2)"
)
self.report.errors.append("inconclusive (google dns servfail)")…ctor,an error field and a warning message Closes #3196
c22beaa to
e268e53
Compare
|
Hello @mlodic , logger.error(error_message)
self.report.errors.append(error_message) |
|
thanks, last step please new screenshot of a new analysis to confirm the changes |
|
Hello @mlodic , |


Handle Google DNS SERVFAIL correctly in Quad9 detector. Closes #3191
Description
This PR fixes incorrect handling of Google DNS SERVFAIL (Status = 2) in the
Quad9 malicious domain detector.
Previously, when Quad9 returned no answers and Google returned SERVFAIL,
the analyzer treated the domain as non-malicious (NXDOMAIN-like behavior).
SERVFAIL means the result is inconclusive (DNS server error, DNSSEC failure,
or backend issue) and must not be treated as a valid negative.
This change introduces explicit handling of SERVFAIL:
malicious=Falsewith a note explaining the DNS failureThis prevents false negatives when Google DNS is temporarily failing.
Type of change
Please delete options that are not relevant.
Checklist
developdumpplugincommand and added it in the project as a data migration. ("How to share a plugin with the community")test_files.zipand you added the default tests for that mimetype in test_classes.py.FREE_TO_USE_ANALYZERSplaybook by following this guide.urlthat contains this information. This is required for Health Checks (HEAD HTTP requests).get_mocker_response()method of the unittest class. This serves us to provide a valid sample for testing.DataModelfor the new analyzer following the documentation# This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.Black,Flake,Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.testsfolder). All the tests (new and old ones) gave 0 errors.DeepSource,Django Doctorsor other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.Important Rules