RE: DNS Sinkhole in BIND
Rather a late response I think. When I setup the rules I spoke about RPZ was just a gleam in someone's eyes. My post discussed the relative merit of iptables vs. blackholes and didn't mention RPZ. RPZ may be a better solution but it requires one to stop and upgrade BIND to get it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Michelle Konzack Sent: Wednesday, October 26, 2011 9:01 PM To: bind-users@lists.isc.org Subject: Re: DNS Sinkhole in BIND Hello Lightner, Jeff, Am 2011-10-17 13:28:43, hacktest Du folgendes herunter: While setting up blackholes in BIND works fine when I did this on Linux I found that setting up iptables to do drops for known bad IPs/ranges was slightly better as the traffic never gets to BIND in the first place as it is stopped at kernel level. It simply DROPs the packet without telling the bad guys why packets didn't go through. Example rules for various IPs that have annoyed me in the past: -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP ...and you get the hell on you ass if you have several 1000 of them! In this case, bind9 with RPZ is cheaper. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing http://www.itsystems.tamay-dogan.net/ itsystems@tdnet Jabber linux4miche...@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/17/2011 02:19 PM, Phil Mayers wrote: On 10/17/2011 06:38 PM, babu dheen wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. In older versions of bind, you needed to create a local zone per malware domain (or hostname). There's no special config - just a really big, long, list of zones. One problem - there can be hundreds or thousands, even tens of thousands of zones - and this makes bind slow to start, and use more RAM. Do you know what version that arrived in? 9.8.0? - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6pZxIACgkQmb+gadEcsb5JQgCgw2siUmnbwo1SApzvEHowYYmI FowAn1z01FFh7f+qkLsYt+wq1kfFQTqO =rSII -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
Hello G.W. Haywood, Am 2011-10-27 16:56:44, hacktest Du folgendes herunter: On Thu, 27 Oct 2011 Michelle Konzack wrote: ...and you get the hell on you ass if you have several 1000 of them! In this case, bind9 with RPZ is cheaper. Maybe look at ipsets. Currently we firewall almost 76,000 networks. [root@mail3 ~]# ipset -L | grep -v BLOCK | wc -l 75845 ...by accepting, IPT consum 90% of the CPU resources. =8O Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing http://www.itsystems.tamay-dogan.net/ itsystems@tdnet Jabber linux4miche...@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Sinkhole in BIND
While setting up blackholes in BIND works fine when I did this on Linux I found that setting up iptables to do drops for known bad IPs/ranges was slightly better as the traffic never gets to BIND in the first place as it is stopped at kernel level. It simply DROPs the packet without telling the bad guys why packets didn't go through. Example rules for various IPs that have annoyed me in the past: -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP Of course you can do ranges as well in iptables. Also you should be sure that you're restricting things like recursion and cache to trusted environments (i.e. internal lookups) while still allowing lookups for domains you're authoritative for to the outside. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of TCPWave Customer Care Sent: Sunday, October 16, 2011 7:43 PM To: babu dheen Cc: bind-users@lists.isc.org Subject: Re: DNS Sinkhole in BIND Babu The following example defines two access control lists and uses an options statement to define how they are treated by the nameserver: acl black-hats { 10.0.2.0/24; 192.168.0.0/24; }; acl red-hats { 10.0.1.0/24; }; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-recursion { red-hats; }; } This example contains two access control lists, black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access. Regards TCPWave Customer Care On Sun, 2011-10-16 at 23:30 +0530, babu dheen wrote: Hi, Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. Regards babu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. --- On Mon, 17/10/11, Chris Thompson c...@cam.ac.uk wrote: From: Chris Thompson c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND To: Bind Users Mailing List bind-users@lists.isc.org Cc: babu dheen babudh...@yahoo.co.in Date: Monday, 17 October, 2011, 8:19 PM On Oct 16 2011, babu dheen wrote: Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. All the replies to this so far seem to assume that he wants to block evil entities from using his nameservers. But Google seems to suggest that DNS Sinkhole usually refers to redirecting names that are being used for evil purposes to e.g. a local monitoring station - not the same thing at all. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
On 10/17/2011 06:38 PM, babu dheen wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. In older versions of bind, you needed to create a local zone per malware domain (or hostname). There's no special config - just a really big, long, list of zones. One problem - there can be hundreds or thousands, even tens of thousands of zones - and this makes bind slow to start, and use more RAM. Example: zone www.badstuff.com { type master; file data/malware-common; }; ...and in data/malware-common: $TTL 3H @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ); minimum NS @ A 127.0.0.1 ::1 ...adjust the A/ records if you want to redirect. In newer versions of bind, there is RPZ - response policy zone - where you create a zone e.g. malware-list.example.com and put policy records in it e.g. www.badstuff.com.malware-list.example.com. Bind honours the RPZ when clients make a query Example - see section 6.2.16.20 of the Bind 9.8 ARM: http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.pdf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
I do this. There may now be a smarter way, but I have a small number so this is manageable for me: configure zones for each of the evil zones. Your server will appear authoritative and you can direct clients wherever you like. I direct some of mine to a virtualhost handing out 503 errors. -- Sent from my Palm Pre On Oct 17, 2011 13:46, babu dheen lt;babudh...@yahoo.co.ingt; wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. nbsp; --- On Mon, 17/10/11, Chris Thompson lt;c...@cam.ac.ukgt; wrote: From: Chris Thompson lt;c...@cam.ac.ukgt; Subject: Re: DNS Sinkhole in BIND To: Bind Users Mailing List lt;bind-users@lists.isc.orggt; Cc: babu dheen lt;babudh...@yahoo.co.ingt; Date: Monday, 17 October, 2011, 8:19 PM On Oct 16 2011, babu dheen wrote: gt; Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. All the replies to this so far seem to assume that he wants to block evil entities from using his nameservers. But Google seems to suggest that DNS Sinkhole usually refers to redirecting names that are being used for evil purposes to e.g. a local monitoring station - not the same thing at all. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Sinkhole in BIND
I’m confused – does the OP want to block or does he want to redirect. “block/redirect” are two different things. What I wrote will block. If he wants to redirect that’s fine but I don’t think he’d want to redirect to his real webserver – why send bogus traffic there and also take the risk that being so directed the bad user will be able to hack? Dropping the packet in DNS stops it cold. (Not saying they can’t get to web server’s via legitimate paths but it appears the OP has know malefactors.) Is the OP building a honeypot? From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Monday, October 17, 2011 3:52 PM To: babu dheen; Bind Users Mailing List; c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND I do this. There may now be a smarter way, but I have a small number so this is manageable for me: configure zones for each of the evil zones. Your server will appear authoritative and you can direct clients wherever you like. I direct some of mine to a virtualhost handing out 503 errors. -- Sent from my Palm Pre On Oct 17, 2011 13:46, babu dheen babudh...@yahoo.co.in wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. --- On Mon, 17/10/11, Chris Thompson c...@cam.ac.uk wrote: From: Chris Thompson c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND To: Bind Users Mailing List bind-users@lists.isc.org Cc: babu dheen babudh...@yahoo.co.in Date: Monday, 17 October, 2011, 8:19 PM On Oct 16 2011, babu dheen wrote: Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. All the replies to this so far seem to assume that he wants to block evil entities from using his nameservers. But Google seems to suggest that DNS Sinkhole usually refers to redirecting names that are being used for evil purposes to e.g. a local monitoring station - not the same thing at all. -- Chris Thompson Email: c...@cam.ac.ukhttp://in.mc1373.mail.yahoo.com/mc/compose?to=c...@cam.ac.uk Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
http://www.sans.org/reading_room/whitepapers/dns/dns-sinkhole_33523 Perhaps the above link target may help. Thanks. From: Lightner, Jeff jlight...@water.com To: Ryan Novosielski novos...@umdnj.edu; babu dheen babudh...@yahoo.co.in; Bind Users Mailing List bind-users@lists.isc.org; c...@cam.ac.uk c...@cam.ac.uk Sent: Monday, October 17, 2011 4:05 PM Subject: RE: DNS Sinkhole in BIND I’m confused – does the OP want to block or does he want to redirect. “block/redirect” are two different things. What I wrote will block. If he wants to redirect that’s fine but I don’t think he’d want to redirect to his real webserver – why send bogus traffic there and also take the risk that being so directed the bad user will be able to hack? Dropping the packet in DNS stops it cold. (Not saying they can’t get to web server’s via legitimate paths but it appears the OP has know malefactors.) Is the OP building a honeypot? From:bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Monday, October 17, 2011 3:52 PM To: babu dheen; Bind Users Mailing List; c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND I do this. There may now be a smarter way, but I have a small number so this is manageable for me: configure zones for each of the evil zones. Your server will appear authoritative and you can direct clients wherever you like. I direct some of mine to a virtualhost handing out 503 errors. -- Sent from my Palm Pre On Oct 17, 2011 13:46, babu dheen babudh...@yahoo.co.in wrote: YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. --- On Mon, 17/10/11, Chris Thompson c...@cam.ac.uk wrote: From: Chris Thompson c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND To: Bind Users Mailing List bind-users@lists.isc.org Cc: babu dheen babudh...@yahoo.co.in Date: Monday, 17 October, 2011, 8:19 PM On Oct 16 2011, babu dheen wrote: Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. All the replies to this so far seem to assume that he wants to block evil entities from using his nameservers. But Google seems to suggest that DNS Sinkhole usually refers to redirecting names that are being used for evil purposes to e.g. a local monitoring station - not the same thing at all. -- Chris Thompson Email: c...@cam.ac.uk Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
On 10/17/2011 09:05 PM, Lightner, Jeff wrote: I’m confused – does the OP want to block or does he want to redirect. “block/redirect” are two different things. What I wrote will block. If It'll block IPs, and whole IPs at that. If the server is shared, you block all traffic to it, not just the domain name you want to block (this is more a theoretical than practical concern - how often do malware nodes share an IP with legit nodes?) Malware queries names, and those names are often updates frequently, or are random names inside a well-known domain. he wants to redirect that’s fine but I don’t think he’d want to redirect to his real webserver – why send bogus traffic there and also take the risk that being so directed the bad user will be able to hack? Dropping I can't parse that last sentence, but the idea behind directing to a webserver you control is logging; it can be easier to correlate hits on a (relatively quiet) logging webserver than an (possibly very busy) DNS server. the packet in DNS stops it cold. (Not saying they can’t get to web server’s via legitimate paths but it appears the OP has know malefactors.) Is the OP building a honeypot? No. He's directing (wanting to direct) malware control / download / self-update DNS queries away from the real zones and to a logging webserver under his control, as far as I can see. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Sinkhole in BIND
Hi, Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. Regards babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
Babu The following example defines two access control lists and uses an options statement to define how they are treated by the nameserver: acl black-hats { 10.0.2.0/24; 192.168.0.0/24; }; acl red-hats { 10.0.1.0/24; }; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-recursion { red-hats; }; } This example contains two access control lists, black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access. Regards TCPWave Customer Care On Sun, 2011-10-16 at 23:30 +0530, babu dheen wrote: Hi, Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. Regards babu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users