[RPZ] fun with dns rpz
Paul Vixie
paul at redbarn.org
Tue Nov 22 07:27:40 UTC 2011
tonight i was spammed as i often am, through an open relay which happens
a lot. the payload was a love letter from a no-doubt beautiful russian
woman who fell in love with me as soon as she saw my picture (which is
the point at which i knew it was spam). out of curiousity i clicked on
the link and got an MSIE "cannot display the webpage". out of even
greater curiousity i ran a "dig" and found that surbl and spamhaus were
both on the job.
this dns firewalling stuff looks like a win. when we get a large number
of subscribers and a moderate number of publishers, spammers will
experience DNS RPZ as "sudden mysterious death from the sky." i like it.
here it is through an rpz-speaking recursive name server that subscribes
to surbl first, then spamhaus, both of whom had this domain mapped to
"synthetic nxdomain". below that a "+trace" shows that the domain is
still live in .ru (though the .ru folks are getting better and faster at
takedowns, so it may not still be there by the time you read this.)
re:
; <<>> DiG 9.9.0b2 <<>> dateritmi.ru a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11775
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dateritmi.ru. IN A
;; AUTHORITY SECTION:
rpz.surbl.org. 180 IN SOA dev.null.
zone.surbl.org. 1321945813 180 180 604800 180
;; Query time: 369 msec
;; SERVER: 2001:4f8:3:30::3#53(2001:4f8:3:30::3)
;; WHEN: Tue Nov 22 07:12:21 2011
;; MSG SIZE rcvd: 103
vs.
; <<>> DiG 9.9.0b2 <<>> +trace dateritmi.ru a
;; global options: +cmd
. 146535 IN NS e.root-servers.net.
. 146535 IN NS f.root-servers.net.
. 146535 IN NS k.root-servers.net.
. 146535 IN NS g.root-servers.net.
. 146535 IN NS l.root-servers.net.
. 146535 IN NS m.root-servers.net.
. 146535 IN NS b.root-servers.net.
. 146535 IN NS a.root-servers.net.
. 146535 IN NS c.root-servers.net.
. 146535 IN NS d.root-servers.net.
. 146535 IN NS j.root-servers.net.
. 146535 IN NS i.root-servers.net.
. 146535 IN NS h.root-servers.net.
. 518161 IN RRSIG NS 8 0 518400
20111129000000 20111121230000 55231 .
bRCkkqXMqFEI97TKeLPSzjjJMsREu0x2uOsbzalT+petd/PiftpKqqXB
kcBDIL/aZJ+reMyOqneDqYOJlkfDqqBqMxM1V2htdCUeg03JuB8+ggde
Hxc/GI8GULiIEbAk9nv1OXOec6KNyIg4ZCD7WH6aKX2vi5WyWXqwFVik y/U=
;; Received 441 bytes from 2001:4f8:3:30::3#53(2001:4f8:3:30::3) in 169 ms
ru. 172800 IN NS ns.ripn.net.
ru. 172800 IN NS ns2.nic.fr.
ru. 172800 IN NS ns9.ripn.net.
ru. 172800 IN NS f.dns.ripn.net.
ru. 172800 IN NS ns5.msk-ix.net.
ru. 172800 IN NS e.dns.ripn.net.
ru. 86400 IN NSEC rw. NS RRSIG NSEC
ru. 86400 IN RRSIG NSEC 8 1 86400
20111129000000 20111121230000 55231 .
RH5YbxLqGwyyz4FEhe8LQY2qo4neBHo4cOVyw50kQHW14t5BCuGdVJs7
hYBXd5FEHd1Uj9//mACVr4fa+vGxL7IfDghhoGXeQN11NYMbuwhAaa//
BvJwGa/s2xN/SR1aYG25Eeq/Bl9wg2l1fDvoZpfJd2xPIUTOzTH8Lkp9 rUs=
;; Received 616 bytes from 192.5.5.241#53(192.5.5.241) in 2313 ms
dateritmi.ru. 345600 IN NS ns1.reg.ru.
dateritmi.ru. 345600 IN NS ns2.reg.ru.
;; Received 113 bytes from 193.232.156.17#53(193.232.156.17) in 1045 ms
dateritmi.ru. 43200 IN A 31.210.103.8
;; Received 46 bytes from 178.218.208.130#53(178.218.208.130) in 193 ms
More information about the DNSfirewalls
mailing list