[DNSfirewalls] Rear View RPZ: PTR records from local knowledge

Fred Morris m3047 at m3047.net
Thu Dec 2 16:53:21 UTC 2021


Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
generally available: turn your local BIND resolver into a network
investigation enabler with locally generated PTR records.

Ok, sure, some of you may be using it as a network investigation tool
already. If so, you're probably well aware of the problems with PTR
records for local visibility:

  * Whoever controls the address space, not the domain, controls the PTR
    record.
  * They don't necessarily get updated when domains get updated.
  * Network owners lie.
  * The records are just ignored.
  * Many FQDNs can point at an address (vhosting).
  * CNAMEs confound the intent of PTR records.

What FQDN did /YOUR/ users look up which resolved to that address? Rear
View RPZ can tell you.

To have success with it in its present state:

  * You should be familiar with configuring BIND.
  * You should be capable of building it from source.
  * You should be capable of resolving prerequisites (e.g. frame
    streams, protobuf) when doing so.
  * You should be familiar with Python syntax.
  * You should understand a systemd service file.

And I have one small favor to ask: if you know of a Linux distribution
which ships BIND compiled with Dnstap support, please let me know!

Cheers...

--

Fred Morris

This is being posted to the Dnstap, RPZ and BIND Users mailing lists.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20211202/5aa1eb6f/attachment.htm>


More information about the DNSfirewalls mailing list