RPZ and negative answers
Vernon Schryver
vjs at rhyolite.com
Thu Apr 4 23:51:23 UTC 2013
> From: Chris Buxton <clists at buxtonfamily.us>
> A company wants to halt the spread of a piece of malware that
> uses DNS lookups to find its C&C. ...
> The company has determined the first N domains of the sequence,
> but does not know how to calculate the complete set of domains.
> ...
> Unfortunately, because RPZ doesn't return a policy-based answer when
> there is no positive answer to be found out on the Internet, RPZ is
> not a suitable solution. Therefore, the customer is forced to create
> the individual zones normally, mixing them with other data in their
> management solution, rather than using RPZ to trap the malware into
> contacting the honeypot server.
Why isn't it both sufficient and better to list the NS servers or
NS servers for the NS servers of the evil domains? Won't NS servers
for the N domains be known, espcially after the first of the N
domains goes active?
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list