On Wednesday, March 19, 2025 4:05:29 PM CET you wrote: > Michael, > > you can hardly create a static list from all of the domains that can > possibly exists. > > I do understand the usefulness of dynamic classification. > > There’s just not a straightforward interface for it now. Somebody will have > to invest into writing this :shrug: > > Ondrej
Hi Ondrej, I commend your productivity! I saw your work in both BIND-Users and DNSOP. No joke, we need more people like this, especially right now. Having had a productivity boost on the same day, fist-bump! To be fair though, not all domains have to be recorded into an RPZ to be useful. For me right now, it's only a couple of domains related to Facebook, YouTube, Windows Update, and Tor. Wildcards being allowed, means that this zone is only 42 lines long. > Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a way to > add the classification to the message processing and then the RPZ processing could read the classification and take an action? > But that’s quite a huge chunk of work. About that... I like the idea, but can you guarantee that it stays within BIND? How would you envision such traffic flow from threat analysis to zone inclusion? Would such additions to the protocol require standardization in DNSOP? The way I envision it is as follows: Suppose that a request is made to malicious01.nixmagic.com. Sentinel node on ns1.internal.nixmagic.com makes a report, and wraps it up into an intervention package. This is to be pushed into the RPZ zone, or whatever else is responsible for DNS rewrite through internal DNS - BIND here. So that sentinel program made its call, classified it locally, and pushed new records accordingly. Does the DNS server and its zone file still need to know more than that? If so, how does that affect the protocol performed between sentinel and nameserver, as well as the protocol performed between nameserver and future clients? If not, could it redirect to different destinations based on such classification data? My concern here is mostly with the protocol, and where these databases are held. My belief is that the DNS server does not need to know about the classification details of such a threat. That's the responsibility of the sentinel to determine, and keep records of. That being said, I do like the idea of exploring this into further detail. As you may be able to tell by now, I have explored the idea of a sentinel as an SMTP edge before. Provided sufficient actionable rationale and/or code relevant to BIND, would ISC be willing to collaborate on such an ordeal? > If this is something that is going to be open-source and the whole BIND 9 > users community would benefit from this, I would love to hear and see more. Out of curiosity, do you think that the code I wrote for building zone files may be useful here? I committed it locally as mkbind, similar in nature to keama. However, the JSON syntax is built only against my own infrastructure, which is not as complex as that of other members on this and the DNSOP list. Most importantly, it still deals with /24 only. Binary conversion to handle classless.. it's a roadmap item, but one I'd rather push down until needed. Nonetheless, it can handle zones and has several logic items for deduplication (e.g. A/PTR, mobility between zone suffixes, etc). -- Met vriendelijke groet, Michael De Roover Mail: i...@nixmagic.com Web: michael.de.roover.eu.org
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
