Re: RPZ and negative answers
Am Thu, 4 Apr 2013 23:51:23 GMT schrieb Vernon Schryver : > > From: Chris Buxton > > > A company wants to halt the spread of a piece of malware that > > uses DNS lookups to find its C&C. ... > > > The company has determined the first N domains of the sequence, > > but does not know how to calculate the complete set of domains. > > ... > > > Unfortunately, because RPZ doesn't return a policy-based answer when > > there is no positive answer to be found out on the Internet, RPZ is > > not a suitable solution. Therefore, the customer is forced to create > > the individual zones normally, mixing them with other data in their > > management solution, rather than using RPZ to trap the malware into > > contacting the honeypot server. > > Why isn't it both sufficient and better to list the NS servers or > NS servers for the NS servers of the evil domains? Won't NS servers > for the N domains be known, espcially after the first of the N > domains goes active? > > Uhm... maybe I'm doing something wrong but RPZ answer rewrites on NXDOMAIN hosts do work for me. We do have a customer who wants us to resolve some hosts which are normally on their insite zone inside their platform in our datacenter wile the rest of the zone should be answered by the outside zone. Here's our config named.conf: options { directory "/named/dns01.somecustomer.de/"; query-source address x.x.x.x port *; listen-on port 53 { x.x.x.x; }; pid-file "log/named.pid"; allow-query { any; }; minimal-responses yes; version ""; statistics-file "log/stats"; max-cache-size 1000M; clients-per-query 25; }; view "MESA_live" { match-clients { any; }; response-policy { zone "myrpz-rpz"; }; empty-zones-enable yes; empty-server "blackhole.easynet.de"; empty-contact "admin.easynet.com"; zone "com" { type delegation-only; }; zone "net" { type delegation-only; }; zone "myrpz-rpz" { type master; file "conf/myrpz-rpz"; allow-query { none; }; }; } view "MCS_compact" { ... }; myrpz-rpz: $TTL 43200 @ IN SOA a.prim-ns.de. hostmaster.de.easynet.net. ( 2012041802 ; 28800 ; 7200; 604800 ; 1200; ) IN NS localhost. subdomain.domain.de 60 A 172.26.30.231 The above setting is rewriting NXDOMAIN answers for subdomain.domain.de to the above IP address while every other host still has the information of the customers outside zone. Am I doing something substantially wrong here RPZ wise? Ciao Torsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: End-user documentation for full DNSSEC automation using Bind9?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 2013-04-04 at 12:08 -0700, pgbi...@ml1.net wrote: > And/or point to any examples integrating with GKG.net's > API? I have a small python script that parses /etc/named.conf looking for comments indicating zones that are registered with gkg.net, and it uploads the current set of keys using the gkg.net api. I can sanitize it this weekend and publish a link to it. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlFeYUoACgkQL6j7milTFsHhUgCfYS10W1gR5Jw5gU01Gg8w5hAw knsAniNMa6FrLECb8oEaMrMLTsog61Eg =jHZu -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and negative answers
> From: Chris Buxton > A company wants to halt the spread of a piece of malware that > uses DNS lookups to find its C&C. ... > The company has determined the first N domains of the sequence, > but does not know how to calculate the complete set of domains. > ... > Unfortunately, because RPZ doesn't return a policy-based answer when > there is no positive answer to be found out on the Internet, RPZ is > not a suitable solution. Therefore, the customer is forced to create > the individual zones normally, mixing them with other data in their > management solution, rather than using RPZ to trap the malware into > contacting the honeypot server. Why isn't it both sufficient and better to list the NS servers or NS servers for the NS servers of the evil domains? Won't NS servers for the N domains be known, espcially after the first of the N domains goes active? Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and negative answers
On Apr 4, 2013, at 1:42 AM, Phil Mayers wrote: > On 04/04/2013 12:50 AM, Chris Buxton wrote: > >> Thanks for the explanation. It seems to me this is a gap in coverage >> of RPZ -- the algorithm should be updated, in my opinion, to cover >> the case of a negative answer. > > AIUI it's a deliberately limited mechanism aimed at preventing resolution of > harmful domains; NODATA/NXDOMAIN rewriting has caused enough controversy in > the recent past that I can understand there being reluctance to extend RPZ to > do it. > > Can you comment on the use-case? Sure. Here's an example. A company wants to halt the spread of a piece of malware that uses DNS lookups to find its C&C. The malware is known to try computed domain names successively until one resolves, and then connect to the resolved address. The company has set up a honeypot server to control the malware and keep it quiescent. The company has determined the first N domains of the sequence, but does not know how to calculate the complete set of domains. Therefore, the company wants to put the known domains into an RPZ. Normal, individual zones would also work, but this would require mixing them with other data in their management system. The customer wants to keep these domains separate from other managed data. Unfortunately, because RPZ doesn't return a policy-based answer when there is no positive answer to be found out on the Internet, RPZ is not a suitable solution. Therefore, the customer is forced to create the individual zones normally, mixing them with other data in their management solution, rather than using RPZ to trap the malware into contacting the honeypot server. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Auto-dnssec maintain and 'continous' resigning
On Apr 4, 2013, at 12:07 PM, Phil Mayers wrote: > On 04/04/13 16:55, Carlos M. Martinez wrote: >> Thank you very much for all the bits, certainly very helpful. >> >> My problem is that this cycle of zone signing triggers zone number >> increases and generates dozens of NOTIFY messages and the corresponding >> zone transfers to all slaves within a short period of time, something >> which I believe is not very friendly to my gracious slave service >> providers. > > You might ask your secondary if they care. We secondary for some people, and > my view is that I don't care if they send me one NOTIFY a minute and I'm > constantly doing tiny IXFR - I just don't care, or see why it's a problem. > > But I know some people don't like it. We don't send NOTIFY to one of our > secondaries for this reason, and that copy of the zone lags by 0->refresh. > It's not a huge problem for me, so if you can tolerate it, "notify explicit" > might help. Another option you may be interested in is "notify-delay" - if you don't really need the notifies sent immediately. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Confused about CVE-2013-2266
It says "or upgrade to the patched release most closely related to your current version of BIND" then it lists the two versions to choose from. 9.9.2-P2 is fixed as is 9.9.3b2. Mark In message , Red Cricket writes: > > Hi, > > I am sorry for being so dense but I am confused about what to do about > protecting my BIND DNS servers running 9.9.1-P4 from the regex issue. > > The link https://kb.isc.org/article/AA-00871 says this ... > > Impact: > > ... Intentional exploitation of this condition can cause denial of service > in all authoritative and recursive nameservers running affected versions of > BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) > and BIND9.9.0 through BIND 9.9.3b1 (inclusive)]. > > OK ... I run 9.9.1-P4 so my DNS server could be affected by this issue. > But later on in the link it says ... > > Solution: > > Compile BIND 9 without regular expression support as described in the > "Workarounds" section of this advisory or upgrade to the patched release > most closely related to your current version of BIND. These can be > downloaded from http://www.isc.org/downloads/all. > > * BIND 9 version 9.9.2-P2 > > But its 9.9.2-P2 with in BIND9.9.0 through BIND 9.9.3b1? So is 9.9.2-P2 > also affected? If I build from the 9.9.2-P2 tarball do I need to patch the > config.h as discussed in the "Workarounds" section? > > Thanks > Red > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Confused about CVE-2013-2266
Hi, I am sorry for being so dense but I am confused about what to do about protecting my BIND DNS servers running 9.9.1-P4 from the regex issue. The link https://kb.isc.org/article/AA-00871 says this ... Impact: ... Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND9.9.0 through BIND 9.9.3b1 (inclusive)]. OK ... I run 9.9.1-P4 so my DNS server could be affected by this issue. But later on in the link it says ... Solution: Compile BIND 9 without regular expression support as described in the "Workarounds" section of this advisory or upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads/all. * BIND 9 version 9.9.2-P2 But its 9.9.2-P2 with in BIND9.9.0 through BIND 9.9.3b1? So is 9.9.2-P2 also affected? If I build from the 9.9.2-P2 tarball do I need to patch the config.h as discussed in the "Workarounds" section? Thanks Red ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
End-user documentation for full DNSSEC automation using Bind9?
Hi, I run bind 9.9.2. I'm interested in fully automating the DNSSEC key generation/signing/rollover process. A while back, I'd used OpenDNSSEC to attempt it, but was ulitmately foiled by lack of a registrar with an API it could talk to. Since that time, IIUC, bind9's got all the tols integrated, AND I finally stubled across a registrar that actually provides a functional & documented DNSSEC API: @ gkg.net. DNSSEC Delegation Signer Webservice API https://www.gkg.net/ws/ds.html I've been digging around for a step-by-step documentation of using Bind9 for DNSSEC automation, *ideally* with examples of usage with gkg.net. So far, I've been looking in all the wrong places ... lots of them. Can anyone recommend good/thorough end-user documentation for DNSSEC automation? And/or point to any examples integrating with GKG.net's API? Cheers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Auto-dnssec maintain and 'continous' resigning
On 04/04/13 16:55, Carlos M. Martinez wrote: Thank you very much for all the bits, certainly very helpful. My problem is that this cycle of zone signing triggers zone number increases and generates dozens of NOTIFY messages and the corresponding zone transfers to all slaves within a short period of time, something which I believe is not very friendly to my gracious slave service providers. You might ask your secondary if they care. We secondary for some people, and my view is that I don't care if they send me one NOTIFY a minute and I'm constantly doing tiny IXFR - I just don't care, or see why it's a problem. But I know some people don't like it. We don't send NOTIFY to one of our secondaries for this reason, and that copy of the zone lags by 0->refresh. It's not a huge problem for me, so if you can tolerate it, "notify explicit" might help. Since my signer instance does not provide public service, I would rather prefer the signing to be done in a single op and then send a single NOTIFY to slaves. Maybe my problem is 'auto-dnssec maintain', maybe I would be better off with the other options. Well... you might be able to tweak the various sig-* options to bundle up the signing, but that might adversely affect other stuff. How big is the zone? You could just "cron" a "dnssec-signzone" if it's reasonably sized. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Auto-dnssec maintain and 'continous' resigning
Thank you very much for all the bits, certainly very helpful. My problem is that this cycle of zone signing triggers zone number increases and generates dozens of NOTIFY messages and the corresponding zone transfers to all slaves within a short period of time, something which I believe is not very friendly to my gracious slave service providers. Since my signer instance does not provide public service, I would rather prefer the signing to be done in a single op and then send a single NOTIFY to slaves. Maybe my problem is 'auto-dnssec maintain', maybe I would be better off with the other options. Looking forward to your thoughts. ~Carlos On 4/3/13 7:48 PM, Mark Andrews wrote: > > In message <515a92a5.3020...@imperial.ac.uk>, Phil Mayers writes: >> On 04/01/2013 07:36 PM, Carlos M. Martinez wrote: >>> Reframing the question in more general terms... Which events trigger a >>> zone re-sign and reload when using "auto-dnssec maintain" ? >> >> As someone else has already said, zone updates, signature expiration and >> key events. >> >> In particular, it's normal for the SOA serial to constantly increase in >> a zone with "auto-dnssec maintain", even if nothing else happens, >> because the signatures will be regenerated every N days. N depends on >> your config, but is 0.75 * default_sig_life (30 days) by default i.e. >> signatures are generated every 22.5 days. > > Named attempts to spread out re-signing load for a zone over time > even is the zone content is essentially static. It takes time to > regenerate signatures so you don't want non-threaded builds to stall > too long res-signing. > >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rate limit dns query response ...
> From: prakash > We are using bind 9.x on linux and would like to create rate limit for DNS > query from any users ie 10 query per second. Can anyone guide us I would: 1. read http://www.redbarn.org/dns/ratelimits 2. read the new ARM text about RRL by following the link labeled "Draft text for BIND9 Administrators Reference Manual (ARM)" on http://www.redbarn.org/dns/ratelimits 3. fetch one of the BIND releases and matching patches on the page in the link labeled "Patch files for BIND9" and then build and install them. I would probably use BIND9 9.9.3b2. 4. add something like this to named.conf rate-limit { responses-per-second 5; }; Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLZ $client% parameter segfault
On 04.04.2013 04:35, Evan Hunt wrote: Thanks certainly blows up the possibility of doing native GeoDNS at the moment? Any chance I am overlooking a method which I could effectively get the clients address into a MySQL query with the current 9.9.2 release? It's not quite the same as %client%, but I suggest you take a look at contrib/dlz/example/dlz_example.c, note the use of the clientinfo structure in dlz_lookup(), and see if it's any use to you. You'd have to hack the corresponding routine in the mysql DLZ driver. Incidentally, native GeoIP support has been added as a feature in the 9.10 release -- you'll be able to use it to specify ACLs, e.g., "match-clients { geoip country US; };". I expect it to be published in Q4 of this year. Hmm. A positive step. I see that in 9.8 it was: static isc_result_t mysql_allnodes(const char *zone, void *driverarg, void *dbdata, dns_sdlzallnodes_t *allnodes) and now it is: static isc_result_t mysql_lookup(const char *zone, const char *name, void *driverarg, void *dbdata, dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo) Very glad to see that it is now available in the SDLZ API, in principle. But, it is still not used: for the %client% (actually $client$) to work, the dbi->client member must set to actual string ptr, to be used by build_querystring(), which processes all $escape$'s. For this to happen, mysql_get_resultset() should be passed 'char *client' instead of NULL, from mysql_lookup() and others, but UNUSED(clientinfo); is there. The block under 'if (strcmp(name, "source-addr") == 0)' in contrib/dlz/example/dlz_example.c does almost the needed thing, except that it also prints port (BTW, that better be handled by isc_sockaddr_format() imported, if port really needed). So probably isc_netaddr_totext() should be used (to eliminate code duplication). Then, note that: 1) Still allnodes() method in SDLZ don't receive 'clientinfo', but this may be inconsistent for DLZ users: if one answers to client with his IP addr on lookup, probably the same RR should to AXFR to that client. 2) The other drivers utilizing build_querystring() need also be patched to set proper dbi->client, that is, * drivers/dlz_mysql_driver.c * drivers/dlz_ldap_driver.c * drivers/dlz_postgres_driver.c * drivers/dlz_odbc_driver.c * modules/ldap/dlz_ldap_dynamic.c * modules/wildcard/dlz_wildcard_dynamic.c Fortunately, they all call *_get_results*() function with 'client' arg, all the same as in mysql_lookup(), so the fix is similar; may be put in to helper func in common file? e.g. modules/common/dlz_dbi.c or drivers/sdlz_helper.c (they both already duplicate build_querystring() and other, though). So, as fixing NULL dereferencing segfault by adding long-awaited feature is good, could you please do that ? :-) Processing client's IP address in DLZ queries is not limited to just GeoIP. -- Vadim GoncharovRU-Center NET Departmenthttp://www.nic.ru NET-SYS Group phone:+7(495)737-7646 (ext.4019) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rate limit dns query response ...
On 04.04.13 12:25, prakash wrote: We are using bind 9.x on linux and would like to create rate limit for DNS query from any users ie 10 query per second. Can anyone guide us Note that there are no users in DNS, only clients identified by an IP. These kind of rate limiting can be done at firewall level. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ and negative answers
On 04/04/2013 12:50 AM, Chris Buxton wrote: Thanks for the explanation. It seems to me this is a gap in coverage of RPZ -- the algorithm should be updated, in my opinion, to cover the case of a negative answer. AIUI it's a deliberately limited mechanism aimed at preventing resolution of harmful domains; NODATA/NXDOMAIN rewriting has caused enough controversy in the recent past that I can understand there being reluctance to extend RPZ to do it. Can you comment on the use-case? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users