Funny you should mention this. It just occurred to me, although it also
apparently occurred to one other soul on the dnsrpz mailing list, you can
use RPZ to audit and to some extent contain leakage.
Assuming you own example.com, I'm speaking about entries akin to the
following:
*.example.example.com CNAME .
*.com.example.com CNAME .
*.net.example.com CNAME .
Entries like the foregoing will return NXDOMAIN for, for example,
dolphin2.com.example.com. ;-) It's also possible to log or direct the
querant to a honeypot. Granted, most likely the stub resolver is trying
dolphin2.com.example.com because it already tried dolphin2 and
dolphin2.com and both of those failed, but at least you know.
You can also see just how good your passive DNS provider's data is, by
looking for things which resolved to 127.0.53.53. (This is a really good
way for the casual reader to understand the scope of this problem, by the
way.)
Running your own caching resolver and dumping the cache and looking for
stuff is also occasionally advisable; I suspect most of the people on this
list would know this.
--
Fred Morris
On Mon, 25 Nov 2019, Florian Weimer wrote:
Is it because of the incoming data is interesting?
Define interesting.
The data could have monetary value. Passwords that are otherwise
difficult to come by might be leaking.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
