Re: Getting RPZ statistics

2012-12-08 Thread John Hascall
If you have a pointer to the technique you're using to distinguish images and serve up replies, i'd be interested to see it. I'll be the first to admit it's not perfect, but even if we send the wrong content, it's better than what they would have gotten! :) First we just look at the

Re: Getting RPZ statistics

2012-12-07 Thread John Hascall
infected with malware. John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication Directory Services) IT Services, The Iowa State University of Science and Technology

Re: DNS Blackholing

2012-12-03 Thread John Hascall
We have found that RPZ works quite well for us. We have 366825 names in our RPZ zone at present and scaling thus far has been a non-issue. John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure

DNS RPZ and different answers for IPv6 vs IPv4

2012-02-13 Thread John Hascall
What I would like to have happen is for the IPv6 () query for evil-domain.com to return no data, but for the IPv4 (A) query for evil-domain.com to return CNAME our-walled-garden. Is this possible? If so, how? Thanks, John ___ Please visit

CVE-2012-1033 (Ghost domain names) mitigation

2012-02-09 Thread John Hascall
are ghosts (new different ghost names could, of course, be created).Is this correct? Thanks, John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication Directory Services) IT Services

Re: CVE-2012-1033 (Ghost domain names) mitigation

2012-02-09 Thread John Hascall
Questions: (1) It looks to me like if the ghost name is in our DNS RPZ zone, then that 'fixes' the problem for that name. Is this correct? Ghost domain could be redelegated to a new owner and become absolutely legal. Caveat Emptor -- if you buy a former TDSS (or someother

Re: CVE-2011-0414 and Bind 9.7.3

2011-03-05 Thread John Hascall
How sure are we that 9.7.3 fixes CVE-2011-0414? Pretty darn sure. Because we are seeing behaviour that looks like CVE-2011-0414 on our 9.7.3 server... Please send details to bind9-b...@isc.org. It was just as we saw with 9.7.2, the last thing in the log is an IXFR and then boom no

CVE-2011-0414 and Bind 9.7.3

2011-03-04 Thread John Hascall
How sure are we that 9.7.3 fixes CVE-2011-0414? Because we are seeing behaviour that looks like CVE-2011-0414 on our 9.7.3 server... Thanks, John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network

Re: Delegation or PEBKAC problems?

2009-05-05 Thread John Hascall
that). If your first server can't talk to the other (delegated zone's) NS's (say because of a firewall issue) you can get something that matches what you seem to be getting. John --- John Hascall, j...@iastate.edu Team Lead