Re: RPZ configuration examples
Hello Papdheen, ISC now has a knowledge base where more information is systematically being written and published. There is a whole section on DNSRPZ: https://kb.isc.org/category/110/0/10/Software-Products/BIND9/Features/DNSRPZ/ Each article allows for comments to improve the materials. We welcome suggestions and ideas for more KB articles. Thanks, Barry On Nov 18, 2011, at 9:23 PM, babu dheen wrote: Hi, We are new to BIND and would like to implement RPZ in BIND. I have a following queries with respect to RPZ in BIND. Please help me on this. 1. Do you have basic example/steps to configure RPZ in Bind? ( I need couple of examples like /etc/named.conf file and zone files for rpz 2. If I use RPZ, recursive DNS will contact remote RBL database for every DNS query? 3. Is it possible to download DNS RBLs locally on the DNS server automatically daily and then allow RPZ query locally to give malware domain lookup response? If you can help on this, it will be very much helpful to understand and implement RPZ in our enterprise. Regards Papdheen M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ configuration examples
noting, first: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
second, as to the particulars:
babu dheen babudh...@yahoo.co.in writes:
We are new to BIND and would like to implement RPZ in BIND. I have a
following queries with respect to RPZ in BIND.
1. Do you have basic example/steps to configure RPZ in Bind? ( I need
couple of examples like /etc/named.conf file and zone files for rpz
in my recursive server's named.conf file, in the options{} block, i have:
response-policy {
zone dns-policy.vix.com;
zone rpz.surbl.org;
zone rpz.spamhaus.org;
zone block.c2.rpz.umbradata.com;
zone hh.c2.rpz.umbradata.com;
zone active.nx.rpz.iidrpz.net;
zone dga.nx.rpz.iidrpz.net;
};
all but the first of these is a slave zone that i subscribe to. the first
one is my local policy, and that zone looks like:
$TTL 30
@ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
NS localhost.
; eric ziegast suggestions
11.156.21.46.32.rpz-ip CNAME *.
96.177.58.207.32.rpz-ip CNAME *.
; pedro bueno suggestions
14.53.199.94.32.rpz-ip CNAME *.
; android market scammer
softthrifty.com CNAME .
*.softthrifty.com CNAME .
; spam houses
*.verticalresponse.com CNAME .
; imports
$INCLUDE drop/drop.inc
$INCLUDE drop/bogons.inc
the two $INCLUDE files are generated by a perl script using data imported
from Team Cymru and Spamhaus. that method is described at in blog post at:
http://www.circleid.com/posts/using_domain_filtering_to_effect_ip_address_filtering/
drop.inc begins as follows:
24.0.140.196.109.rpz-ip CNAME .
*.140.196.109.in-addr.arpa CNAME .
22.0.212.94.109.rpz-ip CNAME .
*.212.94.109.in-addr.arpa CNAME .
*.213.94.109.in-addr.arpa CNAME .
*.214.94.109.in-addr.arpa CNAME .
*.215.94.109.in-addr.arpa CNAME .
bogons.inc begins as follows:
8.0.0.0.0.rpz-ip CNAME .
*.0.in-addr.arpa CNAME .
10.0.0.64.5.rpz-ip CNAME .
*.64.5.in-addr.arpa CNAME .
*.65.5.in-addr.arpa CNAME .
*.66.5.in-addr.arpa CNAME .
*.67.5.in-addr.arpa CNAME .
*.68.5.in-addr.arpa CNAME .
*.69.5.in-addr.arpa CNAME .
a copy of the perl script that generates these is online at:
http://nsa.vix.com/~vixie/lasso2rpz.pl
2. If I use RPZ, recursive DNS will contact remote RBL database for
every DNS query?
no. all RPZ control plane information is held locally in the recursive
server. per the specification at:
https://deepthought.isc.org/article/AA-00512/0
we see this text:
A DNS Response Policy Zone (RPZ) is a DNS zone, and as such its
contents can be transferred between servers (DNS AXFR/IXFR),
protected by transaction signatures (DNS TSIG), and expedited by
real time change notifications (DNS NOTIFY), all subject to
familiar DNS access controls. An RPZ usually does not support query
access since it is never required for correct operation. Rather it
is the zone transfer of RPZ content from producers to subscribers
which effectively publishes the policy data, and it is the
transferee's server configuration which promotes RPZ payload data
into DNS control plane data.
3. Is it possible to download DNS RBLs locally on the DNS server
automatically daily and then allow RPZ query locally to give malware
domain lookup response?
yes. that is one of the intended uses of DNS RPZ.
If you can help on this, it will be very much helpful to understand
and implement RPZ in our enterprise.
while this discussion is on-topic for bind-us...@isc.org (here), there
is also a mailing list specific to DNS RPZ. to subscribe, visit:
https://lists.isc.org/mailman/listinfo/dnsrpz-interest
noting, again: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
thank you for your interest in DNS RPZ.
--
Paul Vixie
KI6YSY
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
pns exdomain equivelent
Hello, For the moment, I am using nxdomain from pdns (). There are some well defined excludes from some domains based on prefix, sufix and full matches in redirect.lua folder. I want to replace pdns with bind 9.9. I managed to make excludes only for suffixes of the domains like *.domain.tld cname. Would like to do the same for domains like mail.* cname. as well as full matches (ex. *domeniu* cname .) Please tell me if it is possible and how? Thank you, Marius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Puzzeling about IPv6
On 11/19/2011 2:32 PM, 夜神 岩男 wrote: On 11/20/2011 04:07 AM, Matthew Seaman wrote: On 19/11/2011 18:47, 夜神 岩男 wrote: Oh, and given you've got 64bits to play with, so long as your random numbers are up to scratch no need to worry about collisions. You'ld need to be assigning millions of addresses before you ran into that problem. Not to be an ass and this is likely a decade too early, but... this is direct echoes of what I heard 20 years ago. Does systematic thinking belong in /32+ IPv6 addressing or is it in fact safe to just random it all away willy-nilly? Look at http://en.wikipedia.org/wiki/Birthday_paradox With 64bits of host address space in a typical IPv6 network, you would need to be allocating 6.1 million addresses to have a 1 in a million chance of a collision. You'ld need 5.1 billion addresses for a 1 in 2 chance of a collision. If you get a collision in a typical network of maybe several hundred machines, then suspect your random number generator before anything else. I would appreciate the numbers more if we were talking in terms of numbers of machines, as we were in the late 80's, but we're not. Now everything has an address. With virtualization (which is a trend I tend to buck, but is a prevalent force) it is currently normal for a single machine to host tens or hundreds of IPs. With the mobile environment and some concepts to simplify mobile-but-hubbed/homed devices even those devices can inherit several IPs each. Is it not inconceivable that complete ignorance of numeric paritioning could run us into weird places quicker than we expect once again? For example, a random assignment gives me something close to the /8 space of the low end of my range and/or another pre-assigned address region which was initially intended for a single machine -- until that machine and its IP space became all cloudy like (the way 1st year drop-out CIO's are getting sold on today). Now is this range enough, and is the resolution overhead worth it in the future (10+ years of us thinking IP ranges are freely available enough to just ranomd assignment away) to push the next bajillion addresses to the same machine/cluster (as it will no doubt evolve into at some point) to a totally separate random remaining range once the available random addressing block is used/randomed away? The fact you cite the birthday paradox is interesting, as it predicts that collisions are highly likely given the way we've grown to think that every device should be multiply homed within a massively multi-homed cluster and that IP assignments are totally costless today. Instead of speculating how many addresses can dance on the head of the randomness pin, for goodness sakes, just read RFC 4862. Even if there's a collision (not bloody likely when a /64 can address quintillions of nodes), there is still DAD (Duplicate Address Detection). Folks, some pretty smart guys worked all of this out, and SLAAC is being used all over the place, in production. This isn't just an academic exercise any more, and shouldn't be treated as such: it's here, it works, deal with it. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.0b2 is now available
Introduction BIND 9.9.0b2 is the second beta release for BIND 9.9.0 and also contains a security update to address CVE-2011-4313 Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] New Features * Add a 'named -U' option to set the number of UDP listener threads per interface. [RT #26485] * dnssec-signzone: -f - prints to stdout; -O full option prints in single-line-per-record format. [RT #20287] * Add a configuration switch dnssec-lookaside 'no' to set explicitly the current default behavior. [RT #24858] * 'rndc querylog' can now be given an on/off parameter instead of only being used as a toggle. [RT #18351] * When the server logs messages about the state of recursive client processing, it will include the name the client had requested in the log messages, to make it easier to identify problems when they occur. Such log messages will now look similar to this one: 03-Nov-2011 14:14:44.981 client 10.53.0.7#49775 (www.example.com): send Bug Fixes * Change #3186 was incomplete; dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] * Correct a behavior introduced in 9.9.0a3 whereby 'rndc recursing' could cause a core dump. [RT #26495] * resolver.c:validated() was not thread-safe. [RT #26478] * Correct a situation in rbtdb.c: where failure to remove a node from the deadnodes list prior to adding a reference to it could lead to a possible assertion failure. [RT #23219] * Canceling the oldest query due to recursive-client overload could trigger an assertion failure. [RT #26463] * NOEDNS caching on timeout was too agressive. [RT #26416] * Clarify the error message reported when the config parser cannot open a file. [RT #22263] * A query structure could be used after being freed. [RT #22208] * zone.c:zone_refreshkeys() could fail to detach references correctly when errors occurred, causing a hang on shutdown. [RT #26372] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind and ntp.org server refused issue
Hello; Does NTP interfere with DNSSEC configuration? Apple computers have their own time synchronized and configured through the time.apple.com. -Is that enough or do I have to configure NTP to work with their pool.ntp.org server? In case of Yes, does anyone here in the list have configured NTP successfully and could help? I have read the information out there on Google and tried their configuration but so far it has not worked. Thanks! 21-Nov-2011 15:09:55.748 security: info: client 63.200.45.xx#port view external: query (cache) 'pool.ntp.org/A/IN' denied 21-Nov-2011 15:09:55.748 query-errors: debug 3: client 63.200.45.xx#port: view external: query failed (REFUSED) for pool.ntp.org/IN/A at /SourceCache/bind9/bind9-31.1/bind9/bin/named/query.c:3899 -- BEARTCOMMUNICATIONS Eduardo Bonsi System - Network Admin beart...@pacbell.net webmas...@beart.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ntp.org server refused issue
On 11/21/2011 10:47 PM, Eduardo Bonsi wrote: Hello; Does NTP interfere with DNSSEC configuration? Apple computers have their own time synchronized and configured through the time.apple.com. -Is that enough or do I have to configure NTP to work with their pool.ntp.org server? No. That's not the problem that you are seeing. 21-Nov-2011 15:09:55.748 security: info: client 63.200.45.xx#port view external: query (cache) 'pool.ntp.org/A/IN' denied 21-Nov-2011 15:09:55.748 query-errors: debug 3: client 63.200.45.xx#port: view external: query failed (REFUSED) for pool.ntp.org/IN/A at /SourceCache/bind9/bind9-31.1/bind9/bin/named/query.c:3899 You have an ACL that doesn't allow 63.200.45.xx to ask you for the given label (or that address falls outside of all views). AlanC -- a...@clegg.com | acl...@infoblox.com 1.919.355.8851 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and ntp.org server refused issue
In message 4ecb1b3e.5010...@pacbell.net, Eduardo Bonsi writes: Hello; Does NTP interfere with DNSSEC configuration? No, though the machine has to have a good enough idea of the time when it boots so that the circular dependacy is not a issue. For DNSSEC +/- a hour should not be a issue. Apple computers have their own time synchronized and configured through the time.apple.com. -Is that enough or do I have to configure NTP to work with their pool.ntp.org server? In case of Yes, does anyone here in the list have configured NTP successfully and could help? I have read the information out there on Google and tried their configuration but so far it has not worked. Thanks! 21-Nov-2011 15:09:55.748 security: info: client 63.200.45.xx#port view external: query (cache) 'pool.ntp.org/A/IN' denied This looks like you have configured multiple views and have a external machine trying to use you to recurse. Make sure your match-clients clauses full cover your internal machines. In this case 63.200.45.xx was not being matched. 21-Nov-2011 15:09:55.748 query-errors: debug 3: client 63.200.45.xx#port: view external: query failed (REFUSED) for pool.ntp.org/IN/A at /SourceCache/bind9/bind9-31.1/bind9/bin/named/query.c:3899 -- BEARTCOMMUNICATIONS Eduardo Bonsi System - Network Admin beart...@pacbell.net webmas...@beart.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC bug down issue, Servers Unreachable
I have checked my domain against http://www.intodns.com/bonsi.org and I am getting that everything is ok. I have signed the domain bonsi.org with dnssec key and entered the key at the https://dlv.isc.org for validation. In addition I also entered the dlv.bonsi.org. at the parent. On dlv.isc.org I am getting Servers Unreachable Servers Unreachable Severity: failure Summary: One or more servers could not be reached. When checking the status of a domain, one or more servers did not respond or did not respond correctly. If this is the initial check, all servers are requried to respond. For later checks, which simply ensure the DNSKEY is still present, at least one server must respond. Check to make certain the name servers for this zone respond over both TCP and UDP. If the servers were to be Unreachable I think I wouldn't be able to serve the domain bonsi.org and that is not the case. What could be the problem? Thanks! -- BEARTCOMMUNICATIONS Eduardo Bonsi System - Network Admin beart...@pacbell.net webmas...@beart.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Issue with cache
Hello, I am facing a very strange problem. On sending a DNS query for sabb...@direct.telstra.netmailto:sabb...@direct.telstra.net I do not get a DNS response from the resolver. It shows a SERVEFAIL error. However on flushing the cache, this error subsides and the DNS look up is working fine. As per the initial analysis this is my finding: 1. DNS lookup for the hostname was getting responded from the cache 2. On restarting named the cache got cleared In case 1 can anyone please advise why the resolver was caching a serverfail response? Is it a bind characteristics to store all responses - positive and negative? Please advise. Kind Regards, Binu. CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc flush does not work
Hi, I am using bind-9.8.1-P1 on my resolvers. I face a cache refresh problem. On attempting to clear cache using rndc flush, this does not work. However a named restart clears the cache. What could be the problem? Am I doing something wrong or have I understoos the rndc flush incorrectly? Please assist. Regards, Binu. CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
