[RPZ] something_else.pseudotld.tld and BIND and DNS in the wild
Fred Morris
m3047 at m3047.net
Thu Apr 21 07:58:13 UTC 2011
It comes to my attention that some pseudo TLDs, for instance t35.com, allow
underscores in owner names for which they offer up RRs. It doesn't strictly
matter what they allow as what strictly matters, although yes ironically they
are serving up A RRs like this. (They don't allow `rm -rf *`.t35.com in any
case.)
The fun occurs when you try to add something_else.pseudotld.tld.my-rpz to the
zone my-rpz. Adding
something_else.pseudotld.tld.my-rpz CNAME .
is no problem with BIND. But out-of-the-box,
something_else.pseudotld.tld.my-rpz A 1.2.3.4
is right out. So you can NX them, but you can't send them to a walled garden.
You can spend a lot of time (don't ask me how I know) tracking something like
this down.
It looks like the check-names option can address this; I'll be playing with
that tomorrow.
This matters to people implementing RPZs because you may not allow or condone
domains or hostnames with underscores, but the people you are trying to
sinkhole may be doing just that; and if I read correctly, the default for
masters is to fail and slaves is to warn, and if you're implementing an RPZ
you probably don't want either of those behaviors... you just want to
silently add it to your RPZ because it is what it is.
--
Fred Morris
More information about the DNSfirewalls
mailing list