date:20211202

Re: Rear View RPZ: PTR records from local knowledge

2021-12-02 Thread Fred Morris

I posted just such a thing a few weeks ago on the dnsrpz list at
redbarn. Hrm, seems to be down at the moment.

On 12/2/21 11:00 AM, Grant Taylor via bind-users wrote:
> On 12/2/21 9:59 AM, Fred Morris wrote:
>> Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
>> generally available: turn your local BIND resolver into a network
>> investigation enabler with locally generated PTR records.
>
> Would you please elaborate on what Rear View RPZ does?
>
> It seems as if it synthetically fabricates PTR records (which are
> served via RPZ) with some additional information for subsequent use by
> investigators.
>
> If that is correct, please provide an example of the original PTR and
> the synthetic augmented PTR.

\/    \/    \/    \/    \/ (ob ascii art!)

 Forwarded Message 

Subject:[DNSfirewalls] I've got smoke! Re: Using DnsTap to populate a
reverse DNS RPZ
Date:   Mon, 15 Nov 2021 09:49:26 -0800
From:   Fred Morris 
To: dnsfirewa...@lists.redbarn.org



Hi. It's been a while.

Anyway, I did this. It'll be going up on GitHub. I'll post another
announcement here, and probably on dnstap and bind-users, when it's got
training wheels.

The way this works is a "sputnik" which consumes BIND's Dnstap telemetry
and uses it to populate the RPZ using dynamic updates.

--

FWM

On 3/19/21 12:57 PM, Fred Morris wrote:
> This is a tactical defender-centric tool, intended to augment everyday
> tools' usability, e.g. "iptables -L -v". It's an RPZ, but it's not a
> ban hammer.
>
> On Fri, 19 Mar 2021, Andrew Fried wrote:
>> [...]
>> You will often see generic 4-3-2-1.some.domain ptr records despite an
>> actual host/domain points at the ip, particularly in cloud environments.
>
> Exactly the point!
>
--

m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 www.cnn.com

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 www.cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54804
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 04b5f7fa4c6aded4a8b6a4b3619299ce772407a3c447a114 (good)
;; QUESTION SECTION:
;www.cnn.com.   IN  A

;; ANSWER SECTION:
www.cnn.COM.    297 IN  CNAME   turner-tls.map.fastly.net.
turner-tls.map.fastly.net. 27   IN  A   151.101.53.67

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:33:02 PST 2021
;; MSG SIZE  rcvd: 134

m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1
rearview.m3047.net axfr

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 rearview.m3047.net axfr
; (1 server found)
;; global options: +cmd
REARVIEW.M3047.NET. 600 IN  SOA DEV.NULL.
M3047.M3047.NET. 2 600 60 86400 600
REARVIEW.M3047.NET. 600 IN  NS  LOCALHOST.
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0."
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR www.cnn.com.
REARVIEW.M3047.NET. 600 IN  SOA DEV.NULL.
M3047.M3047.NET. 2 600 60 86400 600
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:33:10 PST 2021
;; XFR size: 5 records (messages 1, bytes 382)

m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 infoblox.com

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 infoblox.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36850
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 666ea36e97a11479a198007e61929a416afc140bc683c5cc (good)
;; QUESTION SECTION:
;infoblox.com.  IN  A

;; ANSWER SECTION:
infoblox.com.   3600    IN  A   23.185.0.3

;; Query time: 109 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:34:57 PST 2021
;; MSG SIZE  rcvd: 85

m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1
rearview.m3047.net axfr

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 rearview.m3047.net axfr
; (1 server found)
;; global options: +cmd
REARVIEW.M3047.NET. 600 IN  SOA DEV.NULL.
M3047.M3047.NET. 3 600 60 86400 600
REARVIEW.M3047.NET. 600 IN  NS  LOCALHOST.
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0."
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR www.cnn.com.
3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=1,first=1636997699.3390522,last=1636997699.3390543,count=1,trend=0.0,score=0.5"
3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN PTR infoblox.com.
REARVIEW.M3047.NET. 600 IN  SOA DEV.NULL.
M3047.M3047.NET. 3 600 60 86400 600
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15

Re: Rear View RPZ: PTR records from local knowledge

2021-12-02 Thread Grant Taylor via bind-users


On 12/2/21 9:59 AM, Fred Morris wrote:
Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now 
generally available: turn your local BIND resolver into a network 
investigation enabler with locally generated PTR records.


Would you please elaborate on what Rear View RPZ does?

It seems as if it synthetically fabricates PTR records (which are served 
via RPZ) with some additional information for subsequent use by 
investigators.


If that is correct, please provide an example of the original PTR and 
the synthetic augmented PTR.


Aside:  Creative use and combination of DNSTap and RPZ.  



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rear View RPZ: PTR records from local knowledge

2021-12-02 Thread Greg Rivers via bind-users

On Thursday, 2 December 2021 10:59:17 CST Fred Morris wrote:
> And I have one small favor to ask: if you know of a Linux distribution
> which ships BIND compiled with Dnstap support, please let me know!
> 
The Linux packages that ISC provide[1] all have dnstap enabled. Also, the 
FreeBSD BIND port and packages have had dnstap enabled by default since August 
2020[2].


[1] 
[2] 

-- 
Greg


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Rear View RPZ: PTR records from local knowledge

2021-12-02 Thread Fred Morris

Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
generally available: turn your local BIND resolver into a network
investigation enabler with locally generated PTR records.

Ok, sure, some of you may be using it as a network investigation tool
already. If so, you're probably well aware of the problems with PTR
records for local visibility:

  * Whoever controls the address space, not the domain, controls the PTR
record.
  * They don't necessarily get updated when domains get updated.
  * Network owners lie.
  * The records are just ignored.
  * Many FQDNs can point at an address (vhosting).
  * CNAMEs confound the intent of PTR records.

What FQDN did /YOUR/ users look up which resolved to that address? Rear
View RPZ can tell you.

To have success with it in its present state:

  * You should be familiar with configuring BIND.
  * You should be capable of building it from source.
  * You should be capable of resolving prerequisites (e.g. frame
streams, protobuf) when doing so.
  * You should be familiar with Python syntax.
  * You should understand a systemd service file.

And I have one small favor to ask: if you know of a Linux distribution
which ships BIND compiled with Dnstap support, please let me know!

Cheers...

--

Fred Morris

This is being posted to the Dnstap, RPZ and BIND Users mailing lists.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rear View RPZ: PTR records from local knowledge

Re: Rear View RPZ: PTR records from local knowledge

Re: Rear View RPZ: PTR records from local knowledge

Rear View RPZ: PTR records from local knowledge

4 matches

Site Navigation

Mail list logo

Footer information