Am Thu, 4 Apr 2013 23:51:23 GMT
schrieb Vernon Schryver <v...@rhyolite.com>:
> > From: Chris Buxton <cli...@buxtonfamily.us>
>
> > A company wants to halt the spread of a piece of malware that
> > uses DNS lookups to find its C&C. ...
>
> > The company has determined the first N domains of the sequence,
> > but does not know how to calculate the complete set of domains.
> > ...
>
> > Unfortunately, because RPZ doesn't return a policy-based answer when
> > there is no positive answer to be found out on the Internet, RPZ is
> > not a suitable solution. Therefore, the customer is forced to create
> > the individual zones normally, mixing them with other data in their
> > management solution, rather than using RPZ to trap the malware into
> > contacting the honeypot server.
>
> Why isn't it both sufficient and better to list the NS servers or
> NS servers for the NS servers of the evil domains? Won't NS servers
> for the N domains be known, espcially after the first of the N
> domains goes active?
>
>
Uhm... maybe I'm doing something wrong but RPZ answer rewrites on NXDOMAIN
hosts do work for me.
We do have a customer who wants us to resolve some hosts which are normally on
their insite zone inside their platform in our datacenter wile the rest of the
zone should be answered by the outside zone.
Here's our config
named.conf:
options {
directory "/named/dns01.somecustomer.de/";
query-source address x.x.x.x port *;
listen-on port 53 { x.x.x.x; };
pid-file "log/named.pid";
allow-query { any; };
minimal-responses yes;
version "";
statistics-file "log/stats";
max-cache-size 1000M;
clients-per-query 25;
};
view "MESA_live" {
match-clients { any; };
response-policy {
zone "myrpz-rpz";
};
empty-zones-enable yes;
empty-server "blackhole.easynet.de";
empty-contact "admin.easynet.com";
zone "com" {
type delegation-only;
};
zone "net" {
type delegation-only;
};
zone "myrpz-rpz" {
type master;
file "conf/myrpz-rpz";
allow-query { none; };
};
}
view "MCS_compact" {
...
};
myrpz-rpz:
$TTL 43200
@ IN SOA a.prim-ns.de. hostmaster.de.easynet.net. (
2012041802 ;
28800 ;
7200 ;
604800 ;
1200 ;
)
IN NS localhost.
subdomain.domain.de 60 A 172.26.30.231
The above setting is rewriting NXDOMAIN answers for subdomain.domain.de to the
above IP address while every other host still has the information of the
customers outside zone.
Am I doing something substantially wrong here RPZ wise?
Ciao
Torsten
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
