Re: DNS Queries Using API - BIND9

2020-05-10 Thread Vadim Pavlov via bind-users
Hi Blason, There are open source clients for iOS (DNSCloak) and Android (Intra) which use DoH (you will need to install a DoH proxy) but I’m not aware about free clients for Mac/Windows/Linux (may be because they have embedded clients which can be configured to use any 3rd party DNS :). The ma

Re: DNS Queries Using API - BIND9

2020-05-10 Thread Vadim Pavlov via bind-users
will be using it just in browsers). Vadim > On May 10, 2020, at 23:26, Daniel Stirnimann > wrote: > > > > On 11.05.20 08:18, Vadim Pavlov via bind-users wrote: >> The main issue that bind does’t provide an authentication method. So in >> any case you somehow shoul

Re: DNS Queries Using API - BIND9

2020-05-10 Thread Vadim Pavlov via bind-users
o...@gmail.com>> wrote: > Hmm- Any docs on configuring DOH Proxy? > > On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann > mailto:daniel.stirnim...@switch.ch>> wrote: > > > On 11.05.20 08:18, Vadim Pavlov via bind-users wrote: > > The main issue that bind does’t p

Re: Building Geo Map using Queries

2018-06-09 Thread Vadim Pavlov via bind-users
Hi Blason, You can use MaxMind GeoIP DB and enrich logs with data you need. Vadim > On 09 Jun 2018, at 17:33, Blason R wrote: > > Hi There, > > I have DNS RPZ server runnnig and have configured logstatsh on the same to > parse the DNS RPZ logs. > > My requirement is I need to build Geo Map

Re: Building Geo Map using Queries

2018-06-09 Thread Vadim Pavlov via bind-users
Nope. YMMV depending on your requirements. I did it a while ago but I've just parsed the query logs with my script and stored logs in MySQL + used google maps to show it ( http://dnsstat.ipvm.biz/ and a funny video: https://youtu.be/mI1p0VjalT ). I needed more details

Re: Data exfiltration using DNS RPZ

2018-06-17 Thread Vadim Pavlov via bind-users
Hi, RPZ is just a simple feature to block/log/redirect DNS requests. It doesn't analyse DNS requests & responses and a client behaviour. So RPZ can block a domain which used for DNS Exfil/Infil/Tunneling but to detect Exfiltration you should to use 3rd party tools/software (e.g. Infoblox Threat

Re: Data exfiltration using DNS RPZ

2018-06-17 Thread Vadim Pavlov via bind-users
DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped. Vadim > On 17 Jun 2018, at 09:44, Sten Carlsen wrote: > > Interesting, the Dnssec records with their by definition random and large > content seem

Re: Data exfiltration using DNS RPZ

2018-06-17 Thread Vadim Pavlov via bind-users
;standard/usual" TXT records you can use DNSKEY to pass data from a DNS remote server. Vadim > On 17 Jun 2018, at 10:07, Grant Taylor via bind-users > wrote: > > On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote: >> DNSSEC can be used for infiltration/t

Re: Question about BIND and RPZ

2018-08-04 Thread Vadim Pavlov via bind-users
Hi Felipe, You do need to do that. You may configure redirect action on a zone level. Just add "policy cname domain" [ response-policy { zone zone_name [ policy ( given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cname domain ) ] [ recursi

Re: Question about BIND and RPZ

2018-08-04 Thread Vadim Pavlov via bind-users
Sorry for confusion. I thought that you have access to the RPZ feeds. You can not trigger an RPZ rule by the recursion bit. You should contact to your DNS provider and ask them instead of NXDOMAIN provide you a different response which you can be used to trigger RPZ on your Bind (e.g. unused IP

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Vadim Pavlov via bind-users
Should be: response-policy {zone "whitelist.allow" policy passthru; zone "malware.trap"; zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; Vadim > On 09 Aug 2018, at 20:50, Blason R wrote: > > This is the error I am getting > >

Re: Saurabh: Want to exclude the MX Record from my RPZ Configuration.

2018-09-06 Thread Vadim Pavlov via bind-users
You can not accomplish that task using RPZ. It doesn't allow to substitute/block a specific record and bypass others. Vadim > On 06 Sep 2018, at 22:24, Saurabh Srivastava wrote: > > Dear Bind-Users, > > Greetings of the Day!!! > > I have stuck at one place in my DNS RPZ. > I want to exclude

Re: rpz using a forward zone

2019-06-05 Thread Vadim Pavlov via bind-users
You can spin up a separate instance of bind (or use my opensource ioc2rpz dns server) to feed (via a zone transfer) the modified zone to your older bind instance. Vadim > On Jun 5, 2019, at 13:04, Mike Woods wrote: > > I was afraid that would be the answer, time to try some other solutions >

Re: DNS RPZ Protection From DoH

2019-10-02 Thread Vadim Pavlov via bind-users
You didn’t get the sarcasm in the previous email :) The issue is that you can not 100% block DoH w/o blocking HTTPs. You may block well-known domains and IPs but there are many unknown and for targeted attacks new servers can be created even behind legit (but compromised) websites. Vadim > On O