RPZ and negative answers
Chris Buxton
clists at buxtonfamily.us
Thu Apr 4 22:02:33 UTC 2013
On Apr 4, 2013, at 1:42 AM, Phil Mayers wrote:
> On 04/04/2013 12:50 AM, Chris Buxton wrote:
>
>> Thanks for the explanation. It seems to me this is a gap in coverage
>> of RPZ -- the algorithm should be updated, in my opinion, to cover
>> the case of a negative answer.
>
> AIUI it's a deliberately limited mechanism aimed at preventing resolution of harmful domains; NODATA/NXDOMAIN rewriting has caused enough controversy in the recent past that I can understand there being reluctance to extend RPZ to do it.
>
> Can you comment on the use-case?
Sure. Here's an example.
A company wants to halt the spread of a piece of malware that uses DNS lookups to find its C&C. The malware is known to try computed domain names successively until one resolves, and then connect to the resolved address. The company has set up a honeypot server to control the malware and keep it quiescent.
The company has determined the first N domains of the sequence, but does not know how to calculate the complete set of domains. Therefore, the company wants to put the known domains into an RPZ. Normal, individual zones would also work, but this would require mixing them with other data in their management system. The customer wants to keep these domains separate from other managed data.
Unfortunately, because RPZ doesn't return a policy-based answer when there is no positive answer to be found out on the Internet, RPZ is not a suitable solution. Therefore, the customer is forced to create the individual zones normally, mixing them with other data in their management solution, rather than using RPZ to trap the malware into contacting the honeypot server.
Chris Buxton
BlueCat Networks
More information about the bind-users
mailing list