<html><head></head><body><div class="ydp7b171c84yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr" data-setdir="false">Hello Chuck,</div><div dir="ltr" data-setdir="false">Thank you for this clarification.</div><div dir="ltr" data-setdir="false">I get your point and it makes sense.</div><div dir="ltr" data-setdir="false">Regards<br></div><div><br></div>
</div><div id="yahoo_quoted_2340384821" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
Le jeudi 24 octobre 2019 à 05:38:03 UTC+2, Chuck Aurora <ca@nodns4.us> a écrit :
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">On 2019-10-23 18:14, Mik J via bind-users wrote:<br clear="none">Hi,<br clear="none"><br clear="none">> I know that the RPZ functionality aims to block/redirect/log DNS<br clear="none">> queries from the inner network.<br clear="none">> <br clear="none">> What about the authoritative DNS facing the Internet ?<br clear="none">> <br clear="none">> I receive some spam, I get probed on my webservers etc.<br clear="none">> Many of these annoiyances start with a DNS query.<br clear="none">> <br clear="none">> What is mydomain.org ? My DNS answers 1.2.3.4<br clear="none">> Then the annoyances starts on port 25 or 80 or 443...<br clear="none">> <br clear="none">> So my question is this one.<br clear="none">> Is it possible to load a list of IP clients and/or networks that can<br clear="none">> be called the "zombie list"<br clear="none">> If a computer from the zombie list wants to resolve mydomain.org, my<br clear="none"><br clear="none">Here is where you err. You're assuming that you will know the source<br clear="none">of the query and be able to associate a certain query with an attack.<br clear="none">That's highly improbable.<br clear="none"><br clear="none">Most [probably all] of these annoyances are malware running on<br clear="none">compromised machines. Malware usually makes an effort to stay small,<br clear="none">and as such, it's likely to offload as much as it can to the system<br clear="none">libraries. Name resolution is a good candidate for offloading.<br clear="none"><br clear="none">The system library will send DNS queries to the nameserver[s] as<br clear="none">received from DHCP. Those nameservers will do the recursion, and you<br clear="none">will see the queries coming from ISP resolvers and open resolvers like<br clear="none">Google's.<div class="yqt0084067457" id="yqtfd88088"><br clear="none"><br clear="none">> DNS replies 127.0.0.1 or some IP that are allocated to an antartic<br clear="none">> network.<br clear="none">> Then, I never get annoyed.</div><br clear="none"><br clear="none">Even if you DO correctly pin the query to the attack, you do NOT want<br clear="none">to poison Google's cache with misinformation.<br clear="none"><br clear="none">Sorry.<br clear="none"><br clear="none">Also, if you were to do something like this, please do NOT abuse real<br clear="none">IP address holders, especially not our .AQ friends. I'm sure network<br clear="none">lag there is bad enough without us making it worse.<br clear="none"><br clear="none">-CA<br clear="none">_______________________________________________<br clear="none">Please visit <a shape="rect" href="https://lists.isc.org/mailman/listinfo/bind-users " target="_blank">https://lists.isc.org/mailman/listinfo/bind-users </a>to unsubscribe from this list<br clear="none"><br clear="none">bind-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:bind-users@lists.isc.org" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br clear="none"><a shape="rect" href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><div class="yqt0084067457" id="yqtfd48049"><br clear="none"></div></div></div>
</div>
</div></body></html>