<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I posted just such a thing a few weeks ago on the dnsrpz list at
redbarn. Hrm, seems to be down at the moment.<br>
</p>
<div class="moz-cite-prefix">On 12/2/21 11:00 AM, Grant Taylor via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9d2e7178-cf54-6ba5-88cb-4a5fed5938cb@spamtrap.tnetconsulting.net">On
12/2/21 9:59 AM, Fred Morris wrote:
<br>
<blockquote type="cite">Hello, Rear View RPZ
(<a class="moz-txt-link-freetext" href="https://github.com/m3047/rear_view_rpz">https://github.com/m3047/rear_view_rpz</a>) is now generally
available: turn your local BIND resolver into a network
investigation enabler with locally generated PTR records.
<br>
</blockquote>
<br>
Would you please elaborate on what Rear View RPZ does?
<br>
<br>
It seems as if it synthetically fabricates PTR records (which are
served via RPZ) with some additional information for subsequent
use by investigators.
<br>
<br>
If that is correct, please provide an example of the original PTR
and the synthetic augmented PTR.
<br>
</blockquote>
<p>\/ \/ \/ \/ \/ (ob ascii art!)<br>
</p>
<p>-------- Forwarded Message --------</p>
<div class="moz-forward-container">
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>[DNSfirewalls] I've got smoke! Re: Using DnsTap to
populate a reverse DNS RPZ</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date: </th>
<td>Mon, 15 Nov 2021 09:49:26 -0800</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From: </th>
<td>Fred Morris <a class="moz-txt-link-rfc2396E" href="mailto:m3047@m3047.net"><m3047@m3047.net></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:dnsfirewalls@lists.redbarn.org">dnsfirewalls@lists.redbarn.org</a></td>
</tr>
</tbody>
</table>
<br>
<br>
Hi. It's been a while.<br>
<br>
Anyway, I did this. It'll be going up on GitHub. I'll post another<br>
announcement here, and probably on dnstap and bind-users, when
it's got<br>
training wheels.<br>
<br>
The way this works is a "sputnik" which consumes BIND's Dnstap
telemetry<br>
and uses it to populate the RPZ using dynamic updates.<br>
<br>
--<br>
<br>
FWM<br>
<br>
On 3/19/21 12:57 PM, Fred Morris wrote:<br>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">This is a tactical defender-centric tool, intended to augment everyday
tools' usability, e.g. "iptables -L -v". It's an RPZ, but it's not a
ban hammer.
On Fri, 19 Mar 2021, Andrew Fried wrote:
<blockquote type="cite"><pre class="moz-quote-pre" wrap="">[...]
You will often see generic 4-3-2-1.some.domain ptr records despite an
actual host/domain points at the ip, particularly in cloud environments.
</pre></blockquote>
Exactly the point!
</pre>
</blockquote>
--<br>
<br>
m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1
<a class="moz-txt-link-abbreviated" href="http://www.cnn.com">www.cnn.com</a><br>
<br>
; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1
<a class="moz-txt-link-abbreviated" href="http://www.cnn.com">www.cnn.com</a><br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
54804<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL:
1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: 04b5f7fa4c6aded4a8b6a4b3619299ce772407a3c447a114 (good)<br>
;; QUESTION SECTION:<br>
;www.cnn.com. IN A<br>
<br>
;; ANSWER SECTION:<br>
<a class="moz-txt-link-abbreviated" href="http://www.cnn.COM">www.cnn.COM</a>. 297 IN CNAME
turner-tls.map.fastly.net.<br>
turner-tls.map.fastly.net. 27 IN A 151.101.53.67<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Mon Nov 15 09:33:02 PST 2021<br>
;; MSG SIZE rcvd: 134<br>
<br>
m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1<br>
rearview.m3047.net axfr<br>
<br>
; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1
rearview.m3047.net axfr<br>
; (1 server found)<br>
;; global options: +cmd<br>
REARVIEW.M3047.NET. 600 IN SOA DEV.NULL.<br>
M3047.M3047.NET. 2 600 60 86400 600<br>
REARVIEW.M3047.NET. 600 IN NS LOCALHOST.<br>
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT<br>
"depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0.6666666666666666"<br>
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR
<a class="moz-txt-link-abbreviated" href="http://www.cnn.com">www.cnn.com</a>.<br>
REARVIEW.M3047.NET. 600 IN SOA DEV.NULL.<br>
M3047.M3047.NET. 2 600 60 86400 600<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Mon Nov 15 09:33:10 PST 2021<br>
;; XFR size: 5 records (messages 1, bytes 382)<br>
<br>
m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1
infoblox.com<br>
<br>
; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1
infoblox.com<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
36850<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: 666ea36e97a11479a198007e61929a416afc140bc683c5cc (good)<br>
;; QUESTION SECTION:<br>
;infoblox.com. IN A<br>
<br>
;; ANSWER SECTION:<br>
infoblox.com. 3600 IN A 23.185.0.3<br>
<br>
;; Query time: 109 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Mon Nov 15 09:34:57 PST 2021<br>
;; MSG SIZE rcvd: 85<br>
<br>
m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1<br>
rearview.m3047.net axfr<br>
<br>
; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1
rearview.m3047.net axfr<br>
; (1 server found)<br>
;; global options: +cmd<br>
REARVIEW.M3047.NET. 600 IN SOA DEV.NULL.<br>
M3047.M3047.NET. 3 600 60 86400 600<br>
REARVIEW.M3047.NET. 600 IN NS LOCALHOST.<br>
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT<br>
"depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0.6666666666666666"<br>
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR
<a class="moz-txt-link-abbreviated" href="http://www.cnn.com">www.cnn.com</a>.<br>
3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN TXT<br>
"depth=1,first=1636997699.3390522,last=1636997699.3390543,count=1,trend=0.0,score=0.5"<br>
3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN PTR
infoblox.com.<br>
REARVIEW.M3047.NET. 600 IN SOA DEV.NULL.<br>
M3047.M3047.NET. 3 600 60 86400 600<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Mon Nov 15 09:35:02 PST 2021<br>
;; XFR size: 7 records (messages 1, bytes 547)<br>
<br>
m3047@sophia:~/GitHub/rear_view_rpz/python> dig -x 23.185.0.3<br>
<br>
; <<>> DiG 9.12.3-P1 <<>> -x 23.185.0.3<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:
31234<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: c99baad9134300b5c7c0938361929b634fc1d9fd56d9f674 (good)<br>
;; QUESTION SECTION:<br>
;3.0.185.23.in-addr.arpa. IN PTR<br>
<br>
;; AUTHORITY SECTION:<br>
23.in-addr.arpa. 10800 IN SOA z.arin.net.<br>
dns-ops.arin.net. 2017032657 1800 900 691200 10800<br>
<br>
;; Query time: 1174 msec<br>
;; SERVER: 10.0.0.220#53(10.0.0.220)<br>
;; WHEN: Mon Nov 15 09:39:47 PST 2021<br>
;; MSG SIZE rcvd: 149<br>
<br>
m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 -x
23.185.0.3<br>
<br>
; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 -x
23.185.0.3<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
46633<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
2<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: fa006de254213cbe5d5ecfe061929b727fc60cca0a56dc9a (good)<br>
;; QUESTION SECTION:<br>
;3.0.185.23.in-addr.arpa. IN PTR<br>
<br>
;; ANSWER SECTION:<br>
3.0.185.23.in-addr.arpa. 5 IN PTR infoblox.com.<br>
<br>
;; ADDITIONAL SECTION:<br>
REARVIEW.M3047.NET. 1 IN SOA DEV.NULL.<br>
M3047.M3047.NET. 3 600 60 86400 600<br>
<br>
;; Query time: 437 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Mon Nov 15 09:40:02 PST 2021<br>
;; MSG SIZE rcvd: 174<br>
<br>
_______________________________________________<br>
DNSfirewalls mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:DNSfirewalls@lists.redbarn.org">DNSfirewalls@lists.redbarn.org</a><br>
<a class="moz-txt-link-freetext" href="http://lists.redbarn.org/mailman/listinfo/dnsfirewalls">http://lists.redbarn.org/mailman/listinfo/dnsfirewalls</a><br>
</div>
</body>
</html>