Re: Is it possible to filter (*.)wpad.* with RPZ?
I doubt you can use RPZ for that.
We use https://dnsdist.org/ for that, our rule:
-- WPAD Name Collission Vulnerability
-- US-CERT TA16-144A. Redirect to landing page
addAction(RegexRule("^wpad\\."),SpoofAction("192.168.1.2", "2001:DB8::2"))
Daniel
On 29.11.17 19:12, Grant Taylor via bind-users wrote:
> Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into
> Response Policy Service and try to filter that way?
>
> I've used RPZ for various different things over the years, but I don't
> quite know how to match a wild card on the right hand side.
>
> Context: I'd like to prevent ""misconfigurations like the following and
> I was hoping that RPZ could be utilized:
>
> Link - Anybody else having issues with wpad.domain.name?
> -
> https://www.reddit.com/r/networking/comments/732r5n/anybody_else_having_issues_with_wpaddomainname/
>
> Link - Alert (TA16-144A) WPAD Name Collision Vulnerability
> - https://www.us-cert.gov/ncas/alerts/TA16-144A
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNS64 operation
Why is preventing 127.0.0.1 being mapped to a not enough?
Why do you want it mapped to ::1? Such a mapping is NOT part of DNS64.
> On 30 Nov 2017, at 3:04 pm, Sukmoon Lee wrote:
>
>>
>> Why not just exclude 127.0.0.1 and not map to at all?
>
>
> If it is answer 127.0.0.1 for test.com/IN/A in an IPv4, the client will not
> attempt to connect to the network (only attempt to connect to loopback).
>
> However, if it is query test.com/IN/ in an IPv6, DNS64 will answer
> 64:ff9b::7f00:1 address. (dns64 prefix is 64:ff9b::/96).
>
> Then, the client will attempt to connect to 64:ff9b::7f00:1(NAT64).
>
> I want to prevent the client from attempting to network up to NAT64.
>
> So I want to reply 127.0.0.1 to ::1 in DNS64.
>
> And I was using to below option. But this is not what I want.
>
> dns64 64:ff9b::/96 {
> ...
> mapped { !127/8; any; };
> }
>
> Thanks.
>
>
>
>
>
>>
>>> On 29 Nov 2017, at 7:32 pm, Sukmoon Lee wrote:
>>>
>>> Hello.
>>>
>>> I testing DNS64 using 64:ff9b::/96(prefix).
>>> Some domain(IN/A) is responses to 127.0.0.1/IN/A.
>>> Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1.
>>>
>>> I want to response ::1 under DNS64.
>>> Is there any way?
>>>
>>> Thanks.
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Questions about DNS64 operation
>
> Why not just exclude 127.0.0.1 and not map to at all?
If it is answer 127.0.0.1 for test.com/IN/A in an IPv4, the client will not
attempt to connect to the network (only attempt to connect to loopback).
However, if it is query test.com/IN/ in an IPv6, DNS64 will answer
64:ff9b::7f00:1 address. (dns64 prefix is 64:ff9b::/96).
Then, the client will attempt to connect to 64:ff9b::7f00:1(NAT64).
I want to prevent the client from attempting to network up to NAT64.
So I want to reply 127.0.0.1 to ::1 in DNS64.
And I was using to below option. But this is not what I want.
dns64 64:ff9b::/96 {
...
mapped { !127/8; any; };
}
Thanks.
>
> > On 29 Nov 2017, at 7:32 pm, Sukmoon Lee wrote:
> >
> > Hello.
> >
> > I testing DNS64 using 64:ff9b::/96(prefix).
> > Some domain(IN/A) is responses to 127.0.0.1/IN/A.
> > Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1.
> >
> > I want to response ::1 under DNS64.
> > Is there any way?
> >
> > Thanks.
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Is it possible to filter (*.)wpad.* with RPZ?
Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into Response Policy Service and try to filter that way? I've used RPZ for various different things over the years, but I don't quite know how to match a wild card on the right hand side. Context: I'd like to prevent ""misconfigurations like the following and I was hoping that RPZ could be utilized: Link - Anybody else having issues with wpad.domain.name? - https://www.reddit.com/r/networking/comments/732r5n/anybody_else_having_issues_with_wpaddomainname/ Link - Alert (TA16-144A) WPAD Name Collision Vulnerability - https://www.us-cert.gov/ncas/alerts/TA16-144A -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNS64 operation
Why not just exclude 127.0.0.1 and not map to at all? > On 29 Nov 2017, at 7:32 pm, Sukmoon Lee wrote: > > Hello. > > I testing DNS64 using 64:ff9b::/96(prefix). > Some domain(IN/A) is responses to 127.0.0.1/IN/A. > Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1. > > I want to response ::1 under DNS64. > Is there any way? > > Thanks. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Questions about DNS64 operation
Hello. I testing DNS64 using 64:ff9b::/96(prefix). Some domain(IN/A) is responses to 127.0.0.1/IN/A. Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1. I want to response ::1 under DNS64. Is there any way? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
