> domains: if you know the algorithm, you can pre-generate the malicious > domains and add them to your RPZ in advance.
RPZ by default will not stop the upstream query. You would have to use "qname-wait-recurse yes" in addition if stopping upstream queries is your goal. I believe this malware DGA is discussed on this site [1]. According to one user, the DGA is unpredictable and used to decoy only: "There is a large list of hardcoded domains with ports that the malware contact. But in addition to that, there is a DGA that generates domains that look exactly like the hardcoded domains. The seeding of the DGA is done with GetTickCount and therefore unpredictable." It seems to me that some of the hardcoded domains resolve to 195.22.26[.]248 e.g. m23.pxrrhqd[.]net, m16.nkksufo[.]net. Thus, I have the following RPZ rule in place at the moment: 32.248.26.22.195.rpz-ip CNAME . This will of course only match some of the hardcoded domains and none of the DGA domains. I'm not sure what you could use to prevent any of these queries to go upstream. Maybe "synth-from-dnssec" in Bind 9.12 is something if the domain name happens to hit a TLD which uses NSEC. According to the Bind 9.12 documentation [2] Bind will support NSEC3 for "synth-from-dnssec" at some point in the future. However, as most TLDs use NSEC3 opt-out I guess this is not the right solution either. Or RRL (rate-limit) with only "nxdomains-per-second". However, I have never used RRL on recursive resolvers. I guess this is not a good idea either. Daniel [1] https://github.com/360netlab/DGA/issues/36 [2] https://ftp.isc.org/isc/bind9/9.12.0rc3/doc/arm/Bv9ARM.ch09.html#relnotes_features _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users