#! /bin/bash

set -e

## DNS DDOS victims.
dns_victims=$(
  sed -n '
    /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
  ' /var/log/daemon.log |
  sort -u |
  while read addr; do
    if ! ipset -qT ddos-evil-dns "$addr"; then
      echo "$addr"
    fi
  done
)
case "$dns_victims" in
  "") ;;
  *)
    echo 'DNS DDOS victim addresses:'
    ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
    for addr in $dns_victims; do
      echo "  $addr"
      ipset -A ddos-evil-dns "$addr" || :
    done
    ;;
esac