[RPZ] RPZ / bind load bug?

Robert Edmonds edmonds at isc.org
Thu May 30 03:45:35 UTC 2013 

Francis Turner wrote:
> The domains look like this (they are phishing domians)
> 
> paypal.com.uk.cmd.cgi-bin.4c6da88992553d0d43ff7d8dbe19c1133279c9a98f445fff9e2de3dd9a35cd.535125ee83828ec61a1888291c588fd9dc096297a1e972d037a14b15663498.806a02ea02f2846dd2aee0300a20dfe587e5ed4f8d3fdc281cb36a171f0178.umedial.de

since there is a fixed upper bound on the length of a DNS domain-name,
it is not possible to guarantee that concatenating two domain-names
results in a legal domain-name with full generality.  (excepting the
corner case where one of the domain-names is the root.)  this means that
RPZ cannot be used to precisely express policy for any arbitrary
domain-name.

effectively, producers of RPZ zones have to treat domain-names as
untrusted input to be sanitized.  if the RPZ zone is produced in a
manual fashion, the producer can "guess" that a leading label can be
chopped off a too-long domain-name.  (note that determining exactly
whether a domain-name is too long to precisely express RPZ policy for
depends on the length of the RPZ zone name.)  otherwise, if the RPZ zone
is produced in an automated fashion, a somewhat complicated algorithm is
needed to detect whether the domain-name needs to be munged and
alternative RPZ policy records generated if so.  an alternative to
munging too-long names might be to ensure that all names are short, say
by doing something similar to what the RHSBL's do, where they extract a
"base" domain with the aid of tables (see, for instance,
<http://www.surbl.org/guidelines>) since they have the same
concatenation problem, though i think they do it primarily to reduce the
query load on their mirrors.

it's probably best to munge names in wire-format with a DNS library like
ldns, (e.g., ldns_dname_left_chop() and similar functions), as that will
ultimately be less complicated than correctly chopping labels off
"presentation format" names.  if i were producing an RPZ zone in master
file format i would probably also want to subject the generated records
to additional checks using other ldns library calls like verifying that,
e.g., ldns_rr_new_frm_str() and ldns_rr2wire() can be used to
successfully encode the RPZ RR.

-- 
Robert Edmonds
edmonds at isc.org

More information about the DNSfirewalls mailing list