Re: Firewall feature recommendation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 24 June 2005 09:04, Carl Holtje ;021;vcsg6; wrote:
> > BIND 9, transparent DNS proxying for clients to force them into our
> > local nameserver, where we have a simple null zone file which is
> > loaded as master for each blocked domain. It points a wildcard "A"
> > at an internal IP.
>
> Would you be so kind as to post a randomly-selected zone file for our
> enjoyment?

[file: null.zone]
$TTL 86400      ; one day

@       IN      SOA     ns.local.lan.   hostmaster.local.lan. (
                        2004081000      ; serial number YYMMDDNN
                        28800           ; refresh  8 hours
                        7200            ; retry    2 hours
                        864000          ; expire  10 days
                        86400 )         ; min ttl  1 day

                        NS      ns.local.lan.
                        A       192.168.40.1

*               IN      A       192.168.40.1
[end file]

> > Among other things, that internal machine runs a Web server. When
> > we first started doing this, its apache logs were inundated with
> > 404's as the now-stranded spyware attempted to phone home.
>
> So you take a DNS (port 53) request and re-write it as HTTP (port
> 80)??

No. The spyware does a DNS lookup and then HTTP request to the IP 
returned.

> Wouldn't it just be easier to reply to the DNS request with a "host
> not found"? Or where you trying to log the requests to find the
> infected hosts..?

When I first did this I had no idea what was going to happen. :) Later 
on I decided to stick with the internal IP for that reason, yes, it 
does help us identify infected hosts.

DNS logging would have accomplished the same thing.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux