[RPZ] RPZ / bind load bug?

Francis Turner francis at threatstop.com
Wed May 29 01:42:58 UTC 2013


I'm not positive that this is a bug - or if it is that it is an RPZ bug per se - but we're seeing bind load errors when we try to create RPZ zones with certain domains in them. I'd appreciate anyone ideas on what we can to do stop this (beyond not loading these kinds of domain - which is possible but does kind of defeat the object of the exercise...)

The domains look like this (they are phishing domians)

paypal.com.uk.cmd.cgi-bin.4c6da88992553d0d43ff7d8dbe19c1133279c9a98f445fff9e2de3dd9a35cd.535125ee83828ec61a1888291c588fd9dc096297a1e972d037a14b15663498.806a02ea02f2846dd2aee0300a20dfe587e5ed4f8d3fdc281cb36a171f0178.umedial.de

And the error we get when loading them is

May 27 01:04:14 rpz named[29830]: general: error: dns_master_load: /srv/www/bind/rpz/includes/desktop.rpz.threatstop.local.include.txt:4787: ran out of space

The actual FQDN including the RPZ header is 253 bytes long (it's the above plus desktop.rpz.threatstop.local) and so far as I can tell this is an entirely legit FQDN (less that 255 total, max 63 chars per section). Moreover the error 'out of space' isn't one that implies an illegal name.

We're running Bind version: 9.8.4-P1 (version.bind/txt/ch disabled)
compiled with the following options:
--prefix=/usr/local --sysconfdir=/etc/bind --localstatedir=/var/run/bind --enable-threads --enable-largefile --with-libtool --enable-shared --enable-static --with-gnu-ld --with-openssl=/usr --with-gssapi=/usr --enable-ipv6 --enable-fixed-rrset --enable-rpz-nsip --enable-rpz-nsdname --with-libxml

I believe this is almost up to date but not the absolute latest. I'll happily submit a bind bug and/or use a newer version of bind if someone thinks that will fix the issue but before I do so I'd like to be sure that this the right thing to do

Regards

Francis

Francis J.M. Turner
VP Product Management & OEM - http://www.threatstop.com/

ThreatSTOP(tm) Inc, "Stop Botnets Stealing from You!"
email: francis at threatstop.com skype: francis.turner.threatstop
fixed: +1-760-542-1550    cell:  +1-760-402-7676

That knowledge which stops at what it does not know, is the
highest knowledge.           -- Chuang Tzu, 4th c. B.C.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20130529/d8fffac6/attachment.htm>


More information about the DNSfirewalls mailing list