From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: Firewall feature recommendation
Date: Fri, 24 Jun 2005 09:12:08 -0500 [thread overview]
Message-ID: <200506240912.08598.rob0@gmx.co.uk> (raw)
In-Reply-To: <Pine.GSO.4.58.0506241002340.17433@queeg.cs.rit.edu>
On Friday 24 June 2005 09:04, Carl Holtje ;021;vcsg6; wrote:
> > BIND 9, transparent DNS proxying for clients to force them into our
> > local nameserver, where we have a simple null zone file which is
> > loaded as master for each blocked domain. It points a wildcard "A"
> > at an internal IP.
>
> Would you be so kind as to post a randomly-selected zone file for our
> enjoyment?
[file: null.zone]
$TTL 86400 ; one day
@ IN SOA ns.local.lan. hostmaster.local.lan. (
2004081000 ; serial number YYMMDDNN
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS ns.local.lan.
A 192.168.40.1
* IN A 192.168.40.1
[end file]
> > Among other things, that internal machine runs a Web server. When
> > we first started doing this, its apache logs were inundated with
> > 404's as the now-stranded spyware attempted to phone home.
>
> So you take a DNS (port 53) request and re-write it as HTTP (port
> 80)??
No. The spyware does a DNS lookup and then HTTP request to the IP
returned.
> Wouldn't it just be easier to reply to the DNS request with a "host
> not found"? Or where you trying to log the requests to find the
> infected hosts..?
When I first did this I had no idea what was going to happen. :) Later
on I decided to stick with the internal IP for that reason, yes, it
does help us identify infected hosts.
DNS logging would have accomplished the same thing.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
next prev parent reply other threads:[~2005-06-24 14:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-24 10:56 Firewall feature recommendation Kenneth Kalmer
2005-06-24 13:26 ` /dev/rob0
2005-06-24 13:36 ` Carl Holtje ;021;vcsg6;
2005-06-24 13:45 ` /dev/rob0
2005-06-24 14:04 ` Carl Holtje ;021;vcsg6;
2005-06-24 14:12 ` Seferovic Edvin
2005-06-24 14:12 ` /dev/rob0 [this message]
2005-06-24 14:32 ` /dev/rob0
2005-06-24 14:37 ` Jan Engelhardt
2005-06-24 14:53 ` /dev/rob0
2005-06-24 15:20 ` Carl Holtje ;021;vcsg6;
2005-06-24 15:23 ` Carl Holtje ;021;vcsg6;
2005-06-24 17:49 ` /dev/rob0
2005-06-24 15:12 ` Kenneth Kalmer
2005-06-24 13:44 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200506240912.08598.rob0@gmx.co.uk \
--to=rob0@gmx.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.