Can we block/detect DNS beacon channels?

Grant Taylor gtaylor at
Wed May 2 19:41:46 UTC 2018

On 05/02/2018 12:59 PM, Blason R wrote:
> Well, challenge is not implementing RPZ that part is done but now 
> wondering as a advanced part if such attacks can be detected as well 
> blocked by using RPZ? I guess one option I see if to deploy HIDS on BIND 
> server like suricata which will detect such attacks. But that will 
> consume lot of resources hence wondering if natively can we configure 
> anything like that?
RPZ works on known ahead of time text strings / IP matches.  As such, 
there's really no intelligence to it.  If it matches a pattern, do 

Note:  Pattern isn't anything nearly as nice as an RE.

So you would need /something/ to watch traffic and apply logic to it, 
modifying the RPZ after the fact.

Conversely, RPS outsources that intelligence to something else to 
directly apply the logic during the query.

It really sounds like you're after RPS.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list