[dns-operations] root? we don't need no stinkin' root!

Fred Morris m3047 at m3047.net
Mon Nov 25 23:05:14 UTC 2019

Funny you should mention this. It just occurred to me, although it also 
apparently occurred to one other soul on the dnsrpz mailing list, you can 
use RPZ to audit and to some extent contain leakage.

Assuming you own example.com, I'm speaking about entries akin to the 

*.example.example.com CNAME .
*.com.example.com CNAME .
*.net.example.com CNAME .

Entries like the foregoing will return NXDOMAIN for, for example,
dolphin2.com.example.com. ;-) It's also possible to log or direct the 
querant to a honeypot. Granted, most likely the stub resolver is trying 
dolphin2.com.example.com because it already tried dolphin2 and 
dolphin2.com and both of those failed, but at least you know.

You can also see just how good your passive DNS provider's data is, by 
looking for things which resolved to (This is a really good 
way for the casual reader to understand the scope of this problem, by the 

Running your own caching resolver and dumping the cache and looking for 
stuff is also occasionally advisable; I suspect most of the people on this 
list would know this.


Fred Morris

On Mon, 25 Nov 2019, Florian Weimer wrote:
>>> Is it because of the incoming data is interesting?
>> Define interesting.
> The data could have monetary value.  Passwords that are otherwise
> difficult to come by might be leaking.

More information about the dns-operations mailing list