Re: Can we block/detect DNS beacon channels?
On 05/02/2018 12:59 PM, Blason R wrote: Well, challenge is not implementing RPZ that part is done but now wondering as a advanced part if such attacks can be detected as well blocked by using RPZ? I guess one option I see if to deploy HIDS on BIND server like suricata which will detect such attacks. But that will consume lot of resources hence wondering if natively can we configure anything like that? RPZ works on known ahead of time text strings / IP matches. As such, there's really no intelligence to it. If it matches a pattern, do . Note: Pattern isn't anything nearly as nice as an RE. So you would need /something/ to watch traffic and apply logic to it, modifying the RPZ after the fact. Conversely, RPS outsources that intelligence to something else to directly apply the logic during the query. It really sounds like you're after RPS. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we block/detect DNS beacon channels?
Well, challenge is not implementing RPZ that part is done but now wondering as a advanced part if such attacks can be detected as well blocked by using RPZ? I guess one option I see if to deploy HIDS on BIND server like suricata which will detect such attacks. But that will consume lot of resources hence wondering if natively can we configure anything like that? On Thu, May 3, 2018 at 12:20 AM, Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 05/02/2018 12:23 PM, Blason R wrote: > >> I would really appreciate if someone can shed light; if DNS based >> advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels or >> Data Exfiltration through DNS queries. >> > > If you know fixed aspects of the queries / responses, you can very likely > filter them with Response Policy Zone. > > However I think you will need Response Policy Service to be able to do > more instrumentation / trending / tracking and filtering of unknown ahead > of time aspects. > > I think of RPS for DNS much like I think of milters for Sendmail. > > It's my understanding that RPS support is in BIND. However I'm not aware > of any free RPS filters. I think there is at least one commercial > implementation. > > > > -- > Grant. . . . > unix || die > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we block/detect DNS beacon channels?
On 05/02/2018 12:23 PM, Blason R wrote: I would really appreciate if someone can shed light; if DNS based advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels or Data Exfiltration through DNS queries. If you know fixed aspects of the queries / responses, you can very likely filter them with Response Policy Zone. However I think you will need Response Policy Service to be able to do more instrumentation / trending / tracking and filtering of unknown ahead of time aspects. I think of RPS for DNS much like I think of milters for Sendmail. It's my understanding that RPS support is in BIND. However I'm not aware of any free RPS filters. I think there is at least one commercial implementation. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can we block/detect DNS beacon channels?
Hi, I would really appreciate if someone can shed light; if DNS based advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels or Data Exfiltration through DNS queries. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users