Forum: >>> Magnum BBS <<<

scripts-to-block-domains

From MEjaz@21:1/5 to All on Mon Jul 13 09:44:28 2020

This is a multipart message in MIME format.

Hell all,

I have an requirement from our national Cyber security to block several thousand forged domains from our recursive servers, Is there any way we can
add clause in named.conf to scan such bogus domain list without impacting
the performance of the servers.

Thanks in advance.. for the usual contribution.

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone: (+966) 11 464 7114 Ext. 140

Mobile: (+966) 562311787

Fax: (+966) 11 465 4735

Website: http://www.cyberia.net.sa

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta
http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1>Hell  all, <o:p></o:p><o:p> </o:p><o:p> </o:p>I have an requirement from our  national Cyber security to block several thousand forged domains from our recursive servers, Is there any way we can add clause in named.conf to scan such bogus domain list without impacting the performance
of the servers. <o:p></o:p><o:p> </o:p>Thanks in advance.. for the usual contribution.<o:p></o:p><o:p> </o:p><o:p> </o:p>
Thanks,<o:p></o:p>Mohammed Ejaz<o:p></o:p>Asst. Operation Director of Systems.<o:p></o:p>Cyberia SAUDI ARABIA<o:p></o:p>P.O.Box: 301079, Riyadh 11372<o:p></o:p></

Phone:  (+966) 11 464 7114 Ext. 140<o:p></o:p>Mobile:  (+966) 562311787<o:p></o:p>Fax:      (+966) 11 465 4735<o:p></o:p>Website:

http://www.cyberia.net.sa<o:p></o:p><o:p> </o:p><o:p> </o:p></div></body></html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Daniel Stirnimann@21:1/5 to MEjaz on Mon Jul 13 09:34:54 2020

To: bind-users@lists.isc.org

Hello Mohammed,

You can use RPZ (Response Policy Zone). The following link should give
you a good introduction on how to set this up:

Building DNS Firewalls with Response Policy Zones (RPZ) https://kb.isc.org/docs/aa-00525

Daniel

On 13.07.20 08:44, MEjaz wrote:

Hell �all,

�

�

I have an requirement from our �national Cyber security to block several thousand forged domains from our recursive servers, Is there any way we
can add clause in named.conf to scan such bogus domain list without
impacting the performance of the servers.

�

Thanks in advance.. for the usual contribution.

�

�

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:� (+966) 11 464 7114 Ext. 140

Mobile:� (+966) 562311787

Fax:�� (+966) 11 465 4735

Website: http://www.cyberia.net.sa

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Grant Taylor@21:1/5 to MEjaz on Mon Jul 13 13:44:33 2020

This is a cryptographically signed message in MIME format.

On 7/13/20 12:44 AM, MEjaz wrote:

Hell �all,

Hi,

I have an requirement from our �national Cyber security to block several thousand forged domains from our recursive servers, Is there any way we
can add clause in named.conf to scan such bogus domain list without impacting the performance of the servers.

$RPZ++

If you can't use RPZ, then you /can/ create skeleton zones to make your
server authoritative for the zones in question. However, there are
drawbacks to this regarding performance based on the number and size of
all the additional zones.

I would strongly recommend RPZ, or the new Response Policy Service,
which there are a few commercial implementations of. RPS is for DNS
what milters are for mail servers.

RPZ is a ""static list.
RPS is an active / dynamic service.

Note: Response Policy Zones can be updated via normal dynamic DNS methods.

--
Grant. . . .
unix || die

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzkwggUhMIIECaADAgECAhA53zcXtFD9dENby64EqrKqMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTExOTAwMDAw MFoXDTIwMTExODIzNTk1OVowKzEpMCcGCSqGSIb3DQEJARYaZ3RheWxvckB0bmV0Y29uc3Vs dGluZy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwIZcEJcuE7mUfxJnD I8oOSX/TvAhoP11agD++8L7Ok8fFJhJK0lOVRsq1M6lF2E2Vzuyffg2ppbecWvHcIRadsaiG imnrJQasdkhj/JUtqPUXnC0SVA0AzYLrLReQB+9j/jTgB5JnFLyC2lEn9KTA6JmDGjvVkv2T k+I2+v24nI4/2lGjD+jIKQiFXkE1uqablXJAw1c9Mh9d4/wjnIM9zLGv1i3xxOLdQ1PXSUZL 12wOy1r7CsGAnNSNhGaceB2tdhdleFEyIHgSgDWtWResHdu/ubZqFiHxaLRJlafOHMj3yC6x NOA1IdcNJsaRkQHxSkayKzeE5JK3TxlV83dbAgMBAAGjggHTMIIBzzAfBgNVHSMEGDAWgBQJ wPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQUU6bXebmKM+efFHN0MBjYuJO9Za8wDgYD VR0PAQH/BAQDAgWgMAwGA1UdEw

From Daniel Stirnimann@21:1/5 to MEjaz on Tue Jul 14 08:24:46 2020

To: bind-users@lists.isc.org

Hello Mohammed,

I don't see that you specified a "response-policy" [1] statement. You
need something like this as well:

response-policy {
zone "rpz.local" policy given;
}
// Apply RPZ policy to DNSSEC signed zones
break-dnssec yes
;

[1] https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-policy-zone-rpz-rewriting

Daniel

On 14.07.20 08:08, MEjaz wrote:

Hello all,

�

Thanks for every one�s �contribution. �I use RPZ and listed 5000 �forged domain to block it in �a particular zone �without having addiotnal
zones, I hope that�s the feature of �RPZ, Seems good.

�

Below is snippet for your review �for the zone and file �db.rpz.local
which was copied from the default named.empty.

�

zone "rpz.local" {

�� type master;

�� file "db.rpz.local";

�� allow-query { localhost; };

};

�

�

�

�

�

Once this configuration done I am expecting that whoever quarried to our
name server for a zone which Is listed in my dns server should not allow users to fetch any records as recursive from outside servers, it should server from the internal servers only?

�

When I test my configuration with one of the hosted domain in my list
i.e doubleclick.net, I got all the results rather than throwing an
error. please correct if I am wrong..

�

�

�

�

�

Here are the logs.

�

[root@ns20 ~]# tailf /var/log/named/rpz.log

14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local

14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz
QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via securepubads.g.doubleclick.net.rpz.local

14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local

14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz
QNAME NXDOMAIN rewrite stats.g.doubleclick.net via stats.g.doubleclick.net.rpz.local

c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz
QNAME NXDOMAIN rewrite stats.l.doubleclick.net via stats.l.doubleclick.net.rpz.local

14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz
QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via pagead.l.doubleclick.net.rpz.local

14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz
QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via googleads.g.doubleclick.net.rpz.local

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From MEjaz@21:1/5 to kremels@kreme.com on Tue Jul 14 11:14:34 2020

To: bind-users@lists.isc.org (bind-users)

Ok, I will take care next time will

-----Original Message-----
From: bind-users [mailto:bind-users-bounces@lists.isc.org] On Behalf Of
@lbutlr
Sent: Tuesday, July 14, 2020 10:28 AM
To: bind-users <bind-users@lists.isc.org>
Subject: Re: scripts-to-block-domains

On 14 Jul 2020, at 00:31, MEjaz <mejaz@cyberia.net.sa> wrote:

<image001.png>

Please do not post images. Copy and paste the text.

(Over 100 lines of quoted lines with no content deleted)

--
I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From kremels@kreme.com@21:1/5 to bind-users on Tue Jul 14 01:27:32 2020

On 14 Jul 2020, at 00:31, MEjaz <mejaz@cyberia.net.sa> wrote:

<image001.png>

Please do not post images. Copy and paste the text.

(Over 100 lines of quoted lines with no content deleted)

--
I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Grant Taylor@21:1/5 to MEjaz on Tue Jul 14 22:18:04 2020

This is a cryptographically signed message in MIME format.

On 7/14/20 12:08 AM, MEjaz wrote:

Thanks for every one�s �contribution. �I use RPZ and listed 5000 �forged domain to block it in �a particular zone �without having addiotnal
zones, I hope that�s the feature of �RPZ, Seems good.

You might want to look through those domains and see if there are any
name servers that stick out significantly more than others.

Presuming that there are some believed to be bad name servers, you can
also use RPZ to filter traffic to said name servers carte blanch, even
if the names aren't listed in the RPZ, yet. ;-)

--
Grant. . . .
unix || die

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzkwggUhMIIECaADAgECAhA53zcXtFD9dENby64EqrKqMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTExOTAwMDAw MFoXDTIwMTExODIzNTk1OVowKzEpMCcGCSqGSIb3DQEJARYaZ3RheWxvckB0bmV0Y29uc3Vs dGluZy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwIZcEJcuE7mUfxJnD I8oOSX/TvAhoP11agD++8L7Ok8fFJhJK0lOVRsq1M6lF2E2Vzuyffg2ppbecWvHcIRadsaiG imnrJQasdkhj/JUtqPUXnC0SVA0AzYLrLReQB+9j/jTgB5JnFLyC2lEn9KTA6JmDGjvVkv2T k+I2+v24nI4/2lGjD+jIKQiFXkE1uqablXJAw1c9Mh9d4/wjnIM9zLGv1i3xxOLdQ1PXSUZL 12wOy1r7CsGAnNSNhGaceB2tdhdleFEyIHgSgDWtWResHdu/ubZqFiHxaLRJlafOHMj3yC6x NOA1IdcNJsaRkQHxSkayKzeE5JK3TxlV83dbAgMBAAGjggHTMIIBzzAfBgNVHSMEGDAWgBQJ wPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQUU6bXebmKM+efFHN0MBjYuJO9Za8wDgYD VR0PAQH/BAQDAgWgMAwGA1UdEw

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	296
Nodes:	16 (2 / 14)
Uptime:	14:41:54
Calls:	6,645
Files:	12,190
Messages:	5,326,935

scripts-to-block-domains

Who's Online

System Info