[ASK] Block Malware Generate Random Subdomain, Domain and TLD

2018-01-17 Thread Syaifudin 
Hi all,
is there regex for bind config or something else to anticipation or block
malware where generate random subdomain ( 2 or 3 character )+ random domain
( 7 character ) + random tld.
log bind show in picture in this link  Malware Generate Random Subdomain,
Domain and TLD   
for now i use iptables and REGEX (  KPCRE
   )



thank's




--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [ASK] Block Malware Generate Random Subdomain, Domain and TLD

2018-01-17 Thread Tony Finch 
Syaifudin  wrote:

> is there regex for bind config or something else to anticipation or block
> malware where generate random subdomain ( 2 or 3 character )+ random domain
> ( 7 character ) + random tld.

This is a job for RPZ.

I'm currently at UKNOF39 where we have just had a couple of talks about
RPZ. One of the speakers talked about algorithmically generated malware
domains: if you know the algorithm, you can pre-generate the malicious
domains and add them to your RPZ in advance.

If they are truly random attack domains then you'll need some other
strategy.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Humber, Thames: West 6 to gale 8, occasionally severe gale 9 at first,
increasing severe gale 9 to violent storm 11 later. Rough or very rough. Rain
later. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

intermittent SERVFAIL for high visible domains such as *.google.com

2018-01-17 Thread Brian J. Murrell 
I have a BIND (9.9.4)[1] server that runs well most of the time, but
periodically it will start returning SERVFAIL for very high-level
domains such as *.google.com, *.gstatic.com, *.github.com, etc.  It
seems to happen most frequently with Google domains, but I wonder if
that is just a reflection on the percentage of queries I have for those
here.

In any case when this happens, it will last a few minutes until it
resolves itself and/or I issue an "rndc reload".  That always seems to
correct it if I don't care to wait it out.

I'm wondering what the steps are to try to get to the bottom of this.

I have a db dump (rndc dumpdb) as well as some trace (rndc trace x10)
while this is happening.  Is this enough?  If so, what should I look
for as a cause of the SERVFAILs?

If not, what more do I need to collect?  Do I need tracing enabled
before the situation happens?  What level (how many "rndc trace"s
should I run)?

Very greatful for any help.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RHEL, Centos, Fedora rpm 9.11.2-P1

2018-01-17 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

http://www.five-ten-sg.com/mapper/bind contains links to the source
rpms, and build instructions.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlnS18UACgkQL6j7milTFsGZfgCbBIUaYjY+AbTUz6X6xHJN4m1M
tXgAniEvP2Nd/1IW+PBUXRSnJq716Whe
=ILkA
-END PGP SIGNATURE-



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [ASK] Block Malware Generate Random Subdomain, Domain and TLD

2018-01-17 Thread Grant Taylor via bind-users 

On 01/17/2018 07:57 AM, Tony Finch wrote:
I'm currently at UKNOF39 where we have just had a couple of talks about 
RPZ. One of the speakers talked about algorithmically generated malware 
domains: if you know the algorithm, you can pre-generate the malicious 
domains and add them to your RPZ in advance.


Did you see or hear any talks about RPS in addition to RPZ?

If they are truly random attack domains then you'll need some other 
strategy.


I suspect that an intelligent RPS filter could detect and possibly 
prevent such communications.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [ASK] Block Malware Generate Random Subdomain, Domain and TLD

2018-01-17 Thread Daniel Stirnimann 
> domains: if you know the algorithm, you can pre-generate the malicious
> domains and add them to your RPZ in advance.

RPZ by default will not stop the upstream query. You would have to use
"qname-wait-recurse yes" in addition if stopping upstream queries is
your goal.

I believe this malware DGA is discussed on this site [1]. According to
one user, the DGA is unpredictable and used to decoy only:

"There is a large list of hardcoded domains with ports that the malware
contact. But in addition to that, there is a DGA that generates domains
that look exactly like the hardcoded domains. The seeding of the DGA is
done with GetTickCount and therefore unpredictable."

It seems to me that some of the hardcoded domains resolve to
195.22.26[.]248 e.g. m23.pxrrhqd[.]net, m16.nkksufo[.]net. Thus, I have
the following RPZ rule in place at the moment:

32.248.26.22.195.rpz-ip CNAME .

This will of course only match some of the hardcoded domains and none of
the DGA domains. I'm not sure what you could use to prevent any of these
queries to go upstream.

Maybe "synth-from-dnssec" in Bind 9.12 is something if the domain name
happens to hit a TLD which uses NSEC. According to the Bind 9.12
documentation [2] Bind will support NSEC3 for "synth-from-dnssec" at
some point in the future. However, as most TLDs use NSEC3 opt-out I
guess this is not the right solution either.

Or RRL (rate-limit) with only "nxdomains-per-second". However, I have
never used RRL on recursive resolvers. I guess this is not a good idea
either.

Daniel

[1] https://github.com/360netlab/DGA/issues/36
[2]
https://ftp.isc.org/isc/bind9/9.12.0rc3/doc/arm/Bv9ARM.ch09.html#relnotes_features
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users