Re: How to wall garden the malicious domain

2018-04-19 Thread Grant Taylor via bind-users 

On 04/18/2018 11:37 PM, Blason R wrote:
I need to wall garden the malicious Domain request and instead route to 
that server itself.


I assume that you are saying that you need to 1) filter malicious 
domains and 2) you want requests for them to be resolved to your (DNS?) 
server.


e.g. my DNS server IP is 192.168.5.47 and would like to wall-garden the 
request and provide the IP 192.168.5.47 since I have 0.3 million domains 
specifying IP in front of them would not be a good option.


What do you mean by "specifying IP in front of them would not be a good 
option"?  Are you saying that you don't want to have "$domain A 
192.168.5.47" entries for all 300k domains?


Without doing anything, BIND will resolve the domains normally.  So you 
will need to do something to each of the domains to cause the RPZ to not 
resolve the domains normally.  This usually means that you will need to 
specify an alternate IP or CNAME for each and every one of them.  I 
don't see a way around this.



Can you please suggest me the way to do that?


Please elaborate on what you are wanting to do and not do.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries to DNS Blackholes don't respond

2018-04-19 Thread Roberto Carna 
Dear Darcy, now  understand what you mean.

Thanks for yor great explanation about the possible causes that
blackhole servers don't respond to me.

Thanks a lot !!!

2018-04-18 17:35 GMT-03:00 Darcy Kevin (FCA) :
> Sorry, but the "that's what they're there for" argument is often misapplied 
> to justify reckless, irresponsible or just plain unauthorized use of 
> resources, and I think this is an example of that.
>
> The AS112 project (https://www.as112.net/), who collectively run those 
> "blackhole" servers, set them up to answer queries that leak out 
> *unintentionally*. RFC 6303, among other documents, makes it quite clear that 
> DNS operators SHOULD define the RFC 1918 zones, and zones associated with 
> reverse-IPv6 and other "special" address ranges, locally, either explicitly 
> or by using the built-in mechanisms of the DNS software, in order to 
> *prevent* those queries leaking out and having to be answered by the AS112 
> servers. Your attitude of "I'll just use the AS112 servers because that's 
> what they're there for" amounts to *abusing* resources -- that in most cases 
> are provided by volunteers -- that was set up to help protect the Internet 
> DNS infrastructure from misconfiguration and/or deliberate assault. Please do 
> the right and responsible thing. Don't be part of the problem.
>
> Having said that, if, out of idle curiosity, you want to know why you're not 
> getting answers from your closest AS112 Anycast node, I'd start by looking at 
> the problem from the routing perspective. Anycast routing can be tricky 
> sometimes (in my case, a traceroute shows a path going directly from our 
> border router through some ALTER.NET hops, but your mileage may vary). Or 
> maybe the operator of that node is having a problem with their nameserver. 
> Another possibility is that an intermediate IPS (Intrusion Prevention System 
> or Service), or firewall, is configured to drop your query packets or the 
> responses (RFC 6305 focuses on that particular scenario, although its main 
> recommendation for mitigation is to not send the queries to the AS112 servers 
> in the first place).
>
> - Kevin
>
>
>
> -Original Message-
> From: bind-users  On Behalf Of Roberto Carna
> Sent: Wednesday, April 18, 2018 11:31 AM
> To: bind-users@lists.isc.org
> Subject: Re: Queries to DNS Blackholes don't respond
>
> Dear people, I know the best way is to make in-addr.arpa local zones in my 
> BIND.
>
> But also I think the BLACKHOLE SERVERS can be used, because they were created 
> for this reason.: respond to RFC 1918 networks queries.
>
> So why the BLACKHOLE servers don't respond anymore ? Just one time I could 
> get a responde from them.
>
> Regards!!!
>
> 2018-04-18 11:53 GMT-03:00 /dev/rob0 :
>> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
>>> Dear, I have impelmented a BIND9 server. It works OK, but some days
>>> ago an application failed because it needed to resolve the reverse of
>>> some IP addresses from range 10.x.x.x, and they waited for a long
>>> time and failed, because they need a NXDOMAIN fast response.
>>>
>>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>>
>> You don't need to.  See the "built-in empty zones" section of the BIND
>> 9 ARM, chapter 6.
>>
>>> because I want to
>>> use the two public nameservers from Internet:
>>>
>>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>>
>> What??  Why?  Those are not supposed to be used.  BIND now includes
>> empty zones for all RFC 1918 and other reserved netblocks which
>> shouldn't ever appear on the open Internet.
>>
>> If you use some of these networks inside your organization, you can
>> have authoritative zones for the corresponding in-addr.arpa zones.
>>
>> [snip]
>>> Is it OK that I do? Are blackholes servers useful for this purpose ?
>>
>> Not at all.  That's why we have the automatic empty zones.  Sadly,
>> many distributors are not aware of the feature, so they distribute
>> named.conf with kludges.
>> --
>>   http://rob0.nodns4.us/
>>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
>