On Friday 24 June 2005 09:04, Carl Holtje ;021;vcsg6; wrote: > > BIND 9, transparent DNS proxying for clients to force them into our > > local nameserver, where we have a simple null zone file which is > > loaded as master for each blocked domain. It points a wildcard "A" > > at an internal IP. > > Would you be so kind as to post a randomly-selected zone file for our > enjoyment? [file: null.zone] $TTL 86400 ; one day @ IN SOA ns.local.lan. hostmaster.local.lan. ( 2004081000 ; serial number YYMMDDNN 28800 ; refresh 8 hours 7200 ; retry 2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day NS ns.local.lan. A 192.168.40.1 * IN A 192.168.40.1 [end file] > > Among other things, that internal machine runs a Web server. When > > we first started doing this, its apache logs were inundated with > > 404's as the now-stranded spyware attempted to phone home. > > So you take a DNS (port 53) request and re-write it as HTTP (port > 80)?? No. The spyware does a DNS lookup and then HTTP request to the IP returned. > Wouldn't it just be easier to reply to the DNS request with a "host > not found"? Or where you trying to log the requests to find the > infected hosts..? When I first did this I had no idea what was going to happen. :) Later on I decided to stick with the internal IP for that reason, yes, it does help us identify infected hosts. DNS logging would have accomplished the same thing. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header