Dayton's Den

Entries tagged as dns


Categories
Useful Links
Blog Administration

Entries tagged as dns

Related tags

Sunday, April 5. 2015

RPZ Action Posted by Jason Robertson in BIND DNS at 12:46
Defined tags for this entry: , , , , ,
Last modified on 2015-04-05 18:27

RPZ Action

The RPZ standard  provides many actions, in response to when a trigger is activated. The triggers that are activated can be both from client requests, or the responses from the remote DNS Servers.  The actions for these, determine what the requesting client receives back from the DNS Server they are querying. The DNS server can reply with No Domain, No Data for the Domain, Whitelist, and Rewrite record. For BIND 9, there are 2 more actions available Tar-pitting and Quench.

 

Continue reading "RPZ Action"

Sunday, December 28. 2014

RPZ Triggers Posted by Jason Robertson in BIND DNS at 20:35
Defined tags for this entry: , , , , ,
Last modified on 2015-02-03 19:50

RPZ Triggers

Triggers operate from least specific to most specific

QNAME Trigger

The most common method of triggering RPZ, will be the QNAME Trigger, which is a trigger based on the Domain Name of the requested site. The site can must match exactly except for wildcard matching, which will only replace one level of the domain address.  The domain addresses would have the appended to the full address the name of the zone, such as www.domain.com.rpz.zone.

Examples of the domains that would be valid are:

Domain RPZ Entry Matching DNS Query
www.domain.com www.domain.com.rpz.zone. www.domain.com
domain.com domain.com.rpz.zone. domain.com
*.domain.com *.domain.com.rpz.zone. www.domain.com
subdomain.com

 

Examples of the domains that would be invalid are:

Domain RPZ Entry Matching DNS Query
www.*.com none no matching query
*sub*.domain.com none no matching query
www.domain.com none no matching query
*sub.domain.com none no matching query

Request IP Trigger (rpz-ip)

RPZ can match the returned IP Address for a request from the DNS Server, this could allow for an exception, or to block a site that has many Domain names assigned such as a Virtualhosting company.  Part of this format will include the prefix length for the network size, for IPv4 this is a mask between 0 to 32 and 0 to 128 for IPv6 addresses.  For IPv6 addresses, you can remove many of the "00" grouping and replace them zz.

IP Address Prefix Map RPZ Entry Matching DNS Response
192.168.32.1 32 32.1.32.168.192.rpz-ip 192.168.32.1
192.168.31.3 31 31.3.31.168.192.rpz-ip 192.168.31.3
192.168.31.4
 2001:db8:0:1::57 128 128.57.zz.1.0.db8.2001.rpz-ip  2001:db8:0:1::57

Client IP Trigger (rpz-client-ip)

RPZ may also match the clients IP Address and will process these, designed to block ddos amplifiers or zombied clients, this will complete an action for a specific client, without obeying triggers.  This will in effect can prevent a client from resolving any addresses.

IP Address Prefix Map RPZ Entry Matching Client Address
192.168.32.1 32 32.1.32.168.192.rpz-client-ip 192.168.32.1
192.168.31.3 31 31.3.31.168.192.rpz-client-ip 192.168.31.3
192.168.31.4
 2001:db8:0:1::57 128 128.57.zz.1.0.db8.2001.rpz-client-ip  2001:db8:0:1::57

 

Nameserver Domain Name (rpz-nsdname)

RPZ also can provide a method of operating against the hostname of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for.

Domain RPZ Entry
ns1.domain.com www.domain.com.rpz-nsdname

Nameserver IP Address (rpz-nsip)

RPZ also provide a method of operating against an IP Address of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for. (Please note in the example 8.8.8.8 is not authortative, so this entry will not work)

Domain RPZ Entry
8.8.8.8 32.8.8.8.8.rpz-nsip
« previous page   (Page 1 of 1, totaling 2 entries)   next page »
Frontpage