I posted just such a thing a few weeks ago on the dnsrpz list at redbarn. Hrm, seems to be down at the moment.
On 12/2/21 11:00 AM, Grant Taylor via bind-users wrote: > On 12/2/21 9:59 AM, Fred Morris wrote: >> Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now >> generally available: turn your local BIND resolver into a network >> investigation enabler with locally generated PTR records. > > Would you please elaborate on what Rear View RPZ does? > > It seems as if it synthetically fabricates PTR records (which are > served via RPZ) with some additional information for subsequent use by > investigators. > > If that is correct, please provide an example of the original PTR and > the synthetic augmented PTR. \/ \/ \/ \/ \/ (ob ascii art!) -------- Forwarded Message -------- Subject: [DNSfirewalls] I've got smoke! Re: Using DnsTap to populate a reverse DNS RPZ Date: Mon, 15 Nov 2021 09:49:26 -0800 From: Fred Morris <m3...@m3047.net> To: dnsfirewa...@lists.redbarn.org Hi. It's been a while. Anyway, I did this. It'll be going up on GitHub. I'll post another announcement here, and probably on dnstap and bind-users, when it's got training wheels. The way this works is a "sputnik" which consumes BIND's Dnstap telemetry and uses it to populate the RPZ using dynamic updates. -- FWM On 3/19/21 12:57 PM, Fred Morris wrote: > This is a tactical defender-centric tool, intended to augment everyday > tools' usability, e.g. "iptables -L -v". It's an RPZ, but it's not a > ban hammer. > > On Fri, 19 Mar 2021, Andrew Fried wrote: >> [...] >> You will often see generic 4-3-2-1.some.domain ptr records despite an >> actual host/domain points at the ip, particularly in cloud environments. > > Exactly the point! > -- m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 www.cnn.com ; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 www.cnn.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54804 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 04b5f7fa4c6aded4a8b6a4b3619299ce772407a3c447a114 (good) ;; QUESTION SECTION: ;www.cnn.com. IN A ;; ANSWER SECTION: www.cnn.COM. 297 IN CNAME turner-tls.map.fastly.net. turner-tls.map.fastly.net. 27 IN A 151.101.53.67 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 15 09:33:02 PST 2021 ;; MSG SIZE rcvd: 134 m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 rearview.m3047.net axfr ; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 rearview.m3047.net axfr ; (1 server found) ;; global options: +cmd REARVIEW.M3047.NET. 600 IN SOA DEV.NULL. M3047.M3047.NET. 2 600 60 86400 600 REARVIEW.M3047.NET. 600 IN NS LOCALHOST. 67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT "depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0.6666666666666666" 67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR www.cnn.com. REARVIEW.M3047.NET. 600 IN SOA DEV.NULL. M3047.M3047.NET. 2 600 60 86400 600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 15 09:33:10 PST 2021 ;; XFR size: 5 records (messages 1, bytes 382) m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 infoblox.com ; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 infoblox.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36850 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 666ea36e97a11479a198007e61929a416afc140bc683c5cc (good) ;; QUESTION SECTION: ;infoblox.com. IN A ;; ANSWER SECTION: infoblox.com. 3600 IN A 23.185.0.3 ;; Query time: 109 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 15 09:34:57 PST 2021 ;; MSG SIZE rcvd: 85 m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 rearview.m3047.net axfr ; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 rearview.m3047.net axfr ; (1 server found) ;; global options: +cmd REARVIEW.M3047.NET. 600 IN SOA DEV.NULL. M3047.M3047.NET. 3 600 60 86400 600 REARVIEW.M3047.NET. 600 IN NS LOCALHOST. 67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT "depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0.6666666666666666" 67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR www.cnn.com. 3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN TXT "depth=1,first=1636997699.3390522,last=1636997699.3390543,count=1,trend=0.0,score=0.5" 3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN PTR infoblox.com. REARVIEW.M3047.NET. 600 IN SOA DEV.NULL. M3047.M3047.NET. 3 600 60 86400 600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 15 09:35:02 PST 2021 ;; XFR size: 7 records (messages 1, bytes 547) m3047@sophia:~/GitHub/rear_view_rpz/python> dig -x 23.185.0.3 ; <<>> DiG 9.12.3-P1 <<>> -x 23.185.0.3 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31234 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: c99baad9134300b5c7c0938361929b634fc1d9fd56d9f674 (good) ;; QUESTION SECTION: ;3.0.185.23.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 23.in-addr.arpa. 10800 IN SOA z.arin.net. dns-ops.arin.net. 2017032657 1800 900 691200 10800 ;; Query time: 1174 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Mon Nov 15 09:39:47 PST 2021 ;; MSG SIZE rcvd: 149 m3047@sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 -x 23.185.0.3 ; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 -x 23.185.0.3 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46633 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: fa006de254213cbe5d5ecfe061929b727fc60cca0a56dc9a (good) ;; QUESTION SECTION: ;3.0.185.23.in-addr.arpa. IN PTR ;; ANSWER SECTION: 3.0.185.23.in-addr.arpa. 5 IN PTR infoblox.com. ;; ADDITIONAL SECTION: REARVIEW.M3047.NET. 1 IN SOA DEV.NULL. M3047.M3047.NET. 3 600 60 86400 600 ;; Query time: 437 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 15 09:40:02 PST 2021 ;; MSG SIZE rcvd: 174 _______________________________________________ DNSfirewalls mailing list dnsfirewa...@lists.redbarn.org http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
