[DNSfirewalls] Using DnsTap to populate a reverse DNS RPZ
Fred Morris
m3047 at m3047.net
Fri Mar 19 19:57:42 UTC 2021
This is a tactical defender-centric tool, intended to augment everyday
tools' usability, e.g. "iptables -L -v". It's an RPZ, but it's not a ban
hammer.
On Fri, 19 Mar 2021, Andrew Fried wrote:
> [...]
> You will often see generic 4-3-2-1.some.domain ptr records despite an
> actual host/domain points at the ip, particularly in cloud environments.
Exactly the point!
> Furthermore, a rewrite triggered by some query won't necessarily match
> the ptr record, especially if the query was for a hostname but the
> rewrite triggered, for example, on a bad nameserver.
As much sense as I can make out of that, not sure it applies since these
tools are blessedly stupid or at least unimaginative and are going to do
"normal, unsurprising" PTR lookups. Therefore it would be surprising for
one of those queries to stumble upon a nameserver.
The objective is also not to import "all the things", although I really
hadn't thought about expiry. This is implicitly about "did someone here
resolve something to this address?"
--
Fred Morris
More information about the DNSfirewalls
mailing list