On Friday 24 June 2005 09:04, Carl Holtje ;021;vcsg6; wrote:
> > BIND 9, transparent DNS proxying for clients to force them into our
> > local nameserver, where we have a simple null zone file which is
> > loaded as master for each blocked domain. It points a wildcard "A"
> > at an internal IP.
>
> Would you be so kind as to post a randomly-selected zone file for our
> enjoyment?
[file: null.zone]
$TTL 86400 ; one day
@ IN SOA ns.local.lan. hostmaster.local.lan. (
2004081000 ; serial number YYMMDDNN
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS ns.local.lan.
A 192.168.40.1
* IN A 192.168.40.1
[end file]
> > Among other things, that internal machine runs a Web server. When
> > we first started doing this, its apache logs were inundated with
> > 404's as the now-stranded spyware attempted to phone home.
>
> So you take a DNS (port 53) request and re-write it as HTTP (port
> 80)??
No. The spyware does a DNS lookup and then HTTP request to the IP
returned.
> Wouldn't it just be easier to reply to the DNS request with a "host
> not found"? Or where you trying to log the requests to find the
> infected hosts..?
When I first did this I had no idea what was going to happen. :) Later
on I decided to stick with the internal IP for that reason, yes, it
does help us identify infected hosts.
DNS logging would have accomplished the same thing.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
