RPZ and negative answers

Torsten Segner torsten at segner.eu
Fri Apr 5 06:51:54 UTC 2013 

Am Thu, 4 Apr 2013 23:51:23 GMT
schrieb Vernon Schryver <vjs at rhyolite.com>:

> > From: Chris Buxton <clists at buxtonfamily.us>
> 
> > A company wants to halt the spread of a piece of malware that
> > uses DNS lookups to find its C&C. ...
> 
> > The company has determined the first N domains of the sequence,
> > but does not know how to calculate the complete set of domains.
> > ...
> 
> > Unfortunately, because RPZ doesn't return a policy-based answer when
> > there is no positive answer to be found out on the Internet, RPZ is
> > not a suitable solution. Therefore, the customer is forced to create
> > the individual zones normally, mixing them with other data in their
> > management solution, rather than using RPZ to trap the malware into
> > contacting the honeypot server.
> 
> Why isn't it both sufficient and better to list the NS servers or
> NS servers for the NS servers of the evil domains?  Won't NS servers
> for the N domains be known, espcially after the first of the N
> domains goes active?
> 
> 


Uhm... maybe I'm doing something wrong but RPZ answer rewrites on NXDOMAIN hosts do work for me.

We do have a customer who wants us to resolve some hosts which are normally on their insite zone inside their platform in our datacenter wile the rest of the zone should be answered by the outside zone. 


Here's our config


named.conf:

options {
        directory "/named/dns01.somecustomer.de/";

        query-source address x.x.x.x port *;
        listen-on port 53 { x.x.x.x; };

        pid-file "log/named.pid";
        allow-query { any; };
        minimal-responses yes;
        version "";
        statistics-file "log/stats";
        max-cache-size 1000M;
        clients-per-query 25;
};

view "MESA_live" {

        match-clients { any; };

        response-policy {
                zone "myrpz-rpz";  
        };

        empty-zones-enable yes;
        empty-server "blackhole.easynet.de";
        empty-contact "admin.easynet.com";

        zone "com" {
                type delegation-only;
        };

        zone "net" {
                type delegation-only;
        };

	zone "myrpz-rpz" {
                type master;
                file "conf/myrpz-rpz";
                allow-query { none; };
        };
}


view "MCS_compact" {

	...
};




myrpz-rpz:

$TTL 43200
@       IN      SOA a.prim-ns.de.       hostmaster.de.easynet.net.   (
                2012041802      ;
                28800           ;
                7200            ;
                604800          ;
                1200            ;
                )

		IN	NS	localhost.

subdomain.domain.de  60 A	172.26.30.231





The above setting is rewriting NXDOMAIN answers for subdomain.domain.de to the above IP address while every other host still has the information of the customers outside zone.

Am I doing something substantially wrong here RPZ wise?



Ciao
Torsten

More information about the bind-users mailing list