From francis at threatstop.com Fri Jul 29 23:52:37 2022 From: francis at threatstop.com (Francis Turner) Date: Fri, 29 Jul 2022 23:52:37 +0000 Subject: [DNSfirewalls] A non RPZ DNS firewall question Message-ID: <1d672320fb5c48f1a1340d43a409923a@threatstop.com> At least I don't think it's an RPZ question because I don't believe it is part of the spec. Is it possible in Bind or other DNS servers to filter based on RRTYPE e.g. always replying NXDOMAIN to TXT queries or for that matter to other arbitrary TYPEXX queries? We have some customers who are seeing their public recursive DNS servers being abused by queries of this sort. It's possibly DDOS, it's possible DNS Tunnelling, it may be some other abuse but either way they want it to stop - at least from certain users of their servers. Unfortunately neither they, nor I, can think of a good way to do this Regards Francis Francis Turner Threat STOP Global SE JP Cell: +81-8080404701 | US Cell: +1-760-402-7676 Office: +1-760-542-1550 | Skype: francis.turner.threatstop francis at threatstop.com | www.threatstop.com Weaponize Your Threat Intelligence "If You Don't Build It, They Definitely Will Not Come" - P. Vixie -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at redbarn.org Sat Jul 30 00:35:40 2022 From: paul at redbarn.org (Paul Vixie) Date: Fri, 29 Jul 2022 17:35:40 -0700 Subject: [DNSfirewalls] A non RPZ DNS firewall question In-Reply-To: <1d672320fb5c48f1a1340d43a409923a@threatstop.com> References: <1d672320fb5c48f1a1340d43a409923a@threatstop.com> Message-ID: <8938310d-e78e-026c-a0ad-959240ade89c@redbarn.org> Francis Turner via DNSfirewalls wrote on 2022-07-29 16:52: > At least I don?t think it?s an RPZ question because I don?t believe it > is part of the spec. right. > > Is it possible in Bind or other DNS servers to filter based on RRTYPE > e.g. always replying NXDOMAIN to TXT queries or for that matter to other > arbitrary TYPEXX queries? not easily though it's common in load balancers (which are buggy). nxdomain is about the name and can't depend on the type. yet: https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0004.md > We have some customers who are seeing their > public recursive DNS servers being abused by queries of this sort. It?s > possibly DDOS, it?s possible DNS Tunnelling, it may be some other abuse > but either way they want it to stop ? at least from certain users of > their servers. Unfortunately neither they, nor I, can think of a good > way to do this i suggest posting a dnscap trace to dns-operations@ to get more eyes on it. -- P Vixie From m3047 at m3047.net Sat Jul 30 02:51:44 2022 From: m3047 at m3047.net (Fred Morris) Date: Fri, 29 Jul 2022 19:51:44 -0700 (PDT) Subject: [DNSfirewalls] A non RPZ DNS firewall question In-Reply-To: <1d672320fb5c48f1a1340d43a409923a@threatstop.com> References: <1d672320fb5c48f1a1340d43a409923a@threatstop.com> Message-ID: On Fri, 29 Jul 2022, Francis Turner via DNSfirewalls wrote: > At least I don?t think it?s an RPZ question because I don?t believe it is part of the spec. Agree with Paul, although policywise it makes sense I think the spec was guided by technical constraints. (I suspect Francis knows this) you can set up an RPZ to return records of a certain type if that type is queried for. > Is it possible in Bind or other DNS servers to filter based on RRTYPE e.g. always replying NXDOMAIN to TXT queries or for that > matter to other arbitrary TYPEXX queries? This actually doesn't sound like eye-rollingly bad deep packet inspection to me. Why not just route them to a properly bodged server behind the "load balancer" (that would be the place to use RPZ)? -- Fred Morris From brian.peter.dickson at gmail.com Sat Jul 30 02:57:41 2022 From: brian.peter.dickson at gmail.com (Brian Dickson) Date: Fri, 29 Jul 2022 19:57:41 -0700 Subject: [DNSfirewalls] A non RPZ DNS firewall question In-Reply-To: <1d672320fb5c48f1a1340d43a409923a@threatstop.com> References: <1d672320fb5c48f1a1340d43a409923a@threatstop.com> Message-ID: You may want to investigate using dnsdist and some of the capabilities it has. I'd suggest using something like "refused". (Definitely not "servfail" as that will make the client retry repeatedly, making things worse.) You could also simply drop the queries silently, I think, as long as you're fairly sure the sender is who they say they are. (If you are in doubt, this is the poster child for using DNS cookies.) Brian On Fri, Jul 29, 2022 at 4:52 PM Francis Turner via DNSfirewalls < dnsfirewalls at lists.redbarn.org> wrote: > At least I don?t think it?s an RPZ question because I don?t believe it is > part of the spec. > > > > Is it possible in Bind or other DNS servers to filter based on RRTYPE e.g. > always replying NXDOMAIN to TXT queries or for that matter to other > arbitrary TYPEXX queries? We have some customers who are seeing their > public recursive DNS servers being abused by queries of this sort. It?s > possibly DDOS, it?s possible DNS Tunnelling, it may be some other abuse but > either way they want it to stop ? at least from certain users of their > servers. Unfortunately neither they, nor I, can think of a good way to do > this > > > > Regards > > > > Francis > > > > *Francis Turner * > > Threat STOP Global SE > > JP Cell: +81-8080404701 | US Cell: +1-760-402-7676 > > Office: +1-760-542-1550 | Skype: francis.turner.threatstop > > francis at threatstop.com | www.threatstop.com > > *Weaponize Your Threat Intelligence* > > ?If You Don?t Build It, They Definitely Will Not Come? ? P. Vixie > > > _______________________________________________ > DNSfirewalls mailing list > DNSfirewalls at lists.redbarn.org > http://lists.redbarn.org/mailman/listinfo/dnsfirewalls > -------------- next part -------------- An HTML attachment was scrubbed... URL: