[DNSfirewalls] Offlabel use: suppressing backscatter and leakage, tracking misbehaving devices
m3047 at m3047.net
Mon Nov 18 20:34:03 UTC 2019
I don't think I've seen anyone mention this, but RPZ can be used to
identify as well as suppress backscatter and leakage by returning
NXDOMAIN. This leakage occurs when because of search lists or
misconfigurations things which don't resolve are retried within your own
domain. For example, some software cannot resolve does-not-resolve.com
and so retries it under example.com as does-not-resolve.com.example.com.
So, a line like this:
*.COM.EXAMPLE.COM CNAME .
returns NXDOMAIN for the attempt to resolve
does-not-resolve.com.example.com. It might be that said software will
persist in its brokenness when politely told "NX" (indeed, it could be
how it got here), so you might alternatively return it with a "valid"
address or even a honeypot.
You can also log information about such requests, to assist with
tracking down misbehaving devices.
More information about the DNSfirewalls