[dns-operations] root? we don't need no stinkin' root!
Fred Morris
m3047 at m3047.net
Mon Nov 25 23:05:14 UTC 2019
Funny you should mention this. It just occurred to me, although it also
apparently occurred to one other soul on the dnsrpz mailing list, you can
use RPZ to audit and to some extent contain leakage.
Assuming you own example.com, I'm speaking about entries akin to the
following:
*.example.example.com CNAME .
*.com.example.com CNAME .
*.net.example.com CNAME .
Entries like the foregoing will return NXDOMAIN for, for example,
dolphin2.com.example.com. ;-) It's also possible to log or direct the
querant to a honeypot. Granted, most likely the stub resolver is trying
dolphin2.com.example.com because it already tried dolphin2 and
dolphin2.com and both of those failed, but at least you know.
You can also see just how good your passive DNS provider's data is, by
looking for things which resolved to 127.0.53.53. (This is a really good
way for the casual reader to understand the scope of this problem, by the
way.)
Running your own caching resolver and dumping the cache and looking for
stuff is also occasionally advisable; I suspect most of the people on this
list would know this.
--
Fred Morris
On Mon, 25 Nov 2019, Florian Weimer wrote:
>
>>> Is it because of the incoming data is interesting?
>>
>> Define interesting.
>
> The data could have monetary value. Passwords that are otherwise
> difficult to come by might be leaking.
More information about the dns-operations
mailing list