Re: Is it possible to filter (*.)wpad.* with RPZ?
I doubt you can use RPZ for that. We use https://dnsdist.org/ for that, our rule: -- WPAD Name Collission Vulnerability -- US-CERT TA16-144A. Redirect to landing page addAction(RegexRule("^wpad\\."),SpoofAction("192.168.1.2", "2001:DB8::2")) Daniel On 29.11.17 19:12, Grant Taylor via bind-users wrote: > Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into > Response Policy Service and try to filter that way? > > I've used RPZ for various different things over the years, but I don't > quite know how to match a wild card on the right hand side. > > Context: I'd like to prevent ""misconfigurations like the following and > I was hoping that RPZ could be utilized: > > Link - Anybody else having issues with wpad.domain.name? > - > https://www.reddit.com/r/networking/comments/732r5n/anybody_else_having_issues_with_wpaddomainname/ > > Link - Alert (TA16-144A) WPAD Name Collision Vulnerability > - https://www.us-cert.gov/ncas/alerts/TA16-144A ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNS64 operation
Why is preventing 127.0.0.1 being mapped to a not enough? Why do you want it mapped to ::1? Such a mapping is NOT part of DNS64. > On 30 Nov 2017, at 3:04 pm, Sukmoon Lee wrote: > >> >> Why not just exclude 127.0.0.1 and not map to at all? > > > If it is answer 127.0.0.1 for test.com/IN/A in an IPv4, the client will not > attempt to connect to the network (only attempt to connect to loopback). > > However, if it is query test.com/IN/ in an IPv6, DNS64 will answer > 64:ff9b::7f00:1 address. (dns64 prefix is 64:ff9b::/96). > > Then, the client will attempt to connect to 64:ff9b::7f00:1(NAT64). > > I want to prevent the client from attempting to network up to NAT64. > > So I want to reply 127.0.0.1 to ::1 in DNS64. > > And I was using to below option. But this is not what I want. > > dns64 64:ff9b::/96 { > ... > mapped { !127/8; any; }; > } > > Thanks. > > > > > >> >>> On 29 Nov 2017, at 7:32 pm, Sukmoon Lee wrote: >>> >>> Hello. >>> >>> I testing DNS64 using 64:ff9b::/96(prefix). >>> Some domain(IN/A) is responses to 127.0.0.1/IN/A. >>> Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1. >>> >>> I want to response ::1 under DNS64. >>> Is there any way? >>> >>> Thanks. >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Questions about DNS64 operation
> > Why not just exclude 127.0.0.1 and not map to at all? If it is answer 127.0.0.1 for test.com/IN/A in an IPv4, the client will not attempt to connect to the network (only attempt to connect to loopback). However, if it is query test.com/IN/ in an IPv6, DNS64 will answer 64:ff9b::7f00:1 address. (dns64 prefix is 64:ff9b::/96). Then, the client will attempt to connect to 64:ff9b::7f00:1(NAT64). I want to prevent the client from attempting to network up to NAT64. So I want to reply 127.0.0.1 to ::1 in DNS64. And I was using to below option. But this is not what I want. dns64 64:ff9b::/96 { ... mapped { !127/8; any; }; } Thanks. > > > On 29 Nov 2017, at 7:32 pm, Sukmoon Lee wrote: > > > > Hello. > > > > I testing DNS64 using 64:ff9b::/96(prefix). > > Some domain(IN/A) is responses to 127.0.0.1/IN/A. > > Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1. > > > > I want to response ::1 under DNS64. > > Is there any way? > > > > Thanks. > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is it possible to filter (*.)wpad.* with RPZ?
Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into Response Policy Service and try to filter that way? I've used RPZ for various different things over the years, but I don't quite know how to match a wild card on the right hand side. Context: I'd like to prevent ""misconfigurations like the following and I was hoping that RPZ could be utilized: Link - Anybody else having issues with wpad.domain.name? - https://www.reddit.com/r/networking/comments/732r5n/anybody_else_having_issues_with_wpaddomainname/ Link - Alert (TA16-144A) WPAD Name Collision Vulnerability - https://www.us-cert.gov/ncas/alerts/TA16-144A -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNS64 operation
Why not just exclude 127.0.0.1 and not map to at all? > On 29 Nov 2017, at 7:32 pm, Sukmoon Lee wrote: > > Hello. > > I testing DNS64 using 64:ff9b::/96(prefix). > Some domain(IN/A) is responses to 127.0.0.1/IN/A. > Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1. > > I want to response ::1 under DNS64. > Is there any way? > > Thanks. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Questions about DNS64 operation
Hello. I testing DNS64 using 64:ff9b::/96(prefix). Some domain(IN/A) is responses to 127.0.0.1/IN/A. Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1. I want to response ::1 under DNS64. Is there any way? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users