[RPZ] "DNS Firewalls In Action - RPZ vs. Spam" (circleid)

April Lorenzen data at serverauthority.net
Fri Jan 4 13:59:47 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/4/13 8:43 AM, John Hascall wrote:
>
>
> So, what we need is an RPZ provider who lists all newly created
> domains for a few days...
>
>
> John
A static "list of new domains" will always be out of date, behind the miscreants who register domains and use them within minutes.

Instead I keep a list of hosts known as of about 24 hrs ago, invert the answer and provide this as a standard domain BL by DNS
query, known as IsNu.us. It answers 127.0.0.2 if the domain was not known as of about 24 hrs ago.

I also have a commercial RPZ offering and can add domains that are received as queries to IsNu.us - to the rpzone if the query
resulted from malicious activity.

Domains automatically drop off of IsNu.us after the time period (be that 24 hours or a few days) - so if the domain is malicious,
and still active after 24 hours - assumedly you are using layered protection such as SURBL as an RPZone which would be listing the
domain due to the malicious activity.

Since this is not a discussion list about anything other than RPZ and IsNu.us is not an RPZone, feel free to discuss it further with
me privately. Although it is in production use, there are considerations and caveats.

- - April Lorenzen
https://service.dissectcyber.com
>
>
>> Just saw that -- nice article, Vix.
>>
>> - ferg
>>
>>
>> On Thu, Jan 3, 2013 at 9:15 PM, Paul Vixie <vixie at isc.org> wrote:
>>
>>> "In this article I'm going to demonstrate a DNS firewall built using RPZ
>>> (Response Policy Zones) and show its potential impact on e-mail "spam". My
>>> goal is to pique the interest of I.T. professionals whether they are
>>> decision makers, system administrators, hard core DNS developers, or small
>>> office / home office power users. "
>>>
>>> http://www.circleid.com/posts/20120103_dns_firewalls_in_action_rpz_vs_spam/
>>>
>>>
>>> _______________________________________________
>>> dnsrpz-interest mailing list
>>> dnsrpz-interest at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/dnsrpz-interest
>>>
>>
>>
>>
>> --
>> "Fergie", a.k.a. Paul Ferguson
>> fergdawgster(at)gmail.com
>> _______________________________________________
>> dnsrpz-interest mailing list
>> dnsrpz-interest at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dnsrpz-interest
>>
>
> _______________________________________________
> dnsrpz-interest mailing list
> dnsrpz-interest at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dnsrpz-interest
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlDm4FAACgkQU60bNfmbotTDxACeJ8SKWW30uIuF5VE/1FHqqLjE
IqcAoK3kVyXMuXtTFsVEMoRcnsysQK8j
=PGsI
-----END PGP SIGNATURE-----




More information about the DNSfirewalls mailing list