On Saturday, May 24, 2025 3:53:57 AM CEST Fred Morris wrote: > On Fri, 23 May 2025, Grant Taylor via bind-users wrote: > > I don't think there is anything that I would describe that way. But there > > may be some rate limiting option(s) that you could use to at least cripple > > using DNS queries & replies as a tunnel mechanism. > > Yes, exactly. Generally speaking and it comes with its own constellation > of adversary responses but failing softly, or failing to brokenness: I > think this is preferable to failing outright. > > If you fail in an outright, reproducible, measurable fashion you give your > opponent predictability and confidence. As a defender you want to > undermine that and look like an under-resourced, poorly administered > network that somehow, we don't know exactly how but somehow: it's just > bad luck. There's a crappy network and every time your adversary messes > with it they just have inexplicable bad luck.
Generally, this is what I would describe good security practice to be like. Let's put on a former hacker's hat, dark grey seems good. What I would probe for is first and foremost low hanging fruit. Scan the whole IPv4 Internet in about 20 minutes. God bless good VPS providers. And all hail masscan. What I would probe next is the the servers running interesting applications, like mailers and whatnot. Then dial into those that allow for SMTP auth. Doesn't matter if they actually do or not. (unpredictability) Whatever sticks, abuse the living shit out of it. Not like they're going to live long anyway, and neither are we. Rinse and repeat. Profit. > The footnotes would be longer than what I've written. File it generally > under "chaos engineering". > > Dnstap offers application-level logging (DNS is an application protocol > along with a wire protocol) and you can combine that with e.g. fail2ban > and/or RPZ, or other things if it keeps you up at night and you like > picking the legs off of web spiders. This, alongside tcpdump, is an excellent defense mechanism. -- Met vriendelijke groet, Michael De Roover Mail: i...@nixmagic.com Web: michael.de.roover.eu.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
