Re: 2 Questions - forward zone and DNS firewalling
On Thu, Oct 25, 2018 at 2:57 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 10/25/18 2:34 PM, N6Ghost wrote: > [snip] > > > next, we where a bind shop but switched to infoblox for some stuff and > > now out grew it. and are going back to bind. > > > > but we started using the dns firewall part of it and they actually > > really liked it. any ideas for domain blacklisting? via some sort of > > feed etc? what is everyone doing for that sort of thing? > > Response Policy Zone(s) are what you want. I thought that's how > Infoblox did it themselves. Yes, Infoblox’s DNS implementation is a wrapper around BIND and DNS Firewall is just straight up BIND RPZ underneath. If you still have Infoblox around, you can dump the BIND configuration at the CLI and see exactly what is going on underneath it all. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforcing minimum TTL...
On 10/25/2018 09:27 PM, Mark Andrews wrote: Use a browser that maintains its own address cache tied to the HTTP session. That is the only way to safely deal with rebinding attacks. Rebinding attacks have been known about for years. There is zero excuse for not using a browser with such protection. That is sound advice. Unfortunately it does not answer my question of is there a way to enforce a minimum TTL (with BIND). Nor does it protect less intelligent browsers or (IoT) devices. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforcing minimum TTL...
Use a browser that maintains its own address cache tied to the HTTP session. That is the only way to safely deal with rebinding attacks. Rebinding attacks have been known about for years. There is zero excuse for not using a browser with such protection. > On 26 Oct 2018, at 12:02 pm, Grant Taylor via bind-users > wrote: > > Is there a way to enforce a minimum TTL? > > My initial searching indicated that ISC / BIND developers don't include a way > to do so on a matter of principle. > > I'd like to enforce a minimum TTL of 5 minutes (300 seconds) on my private > BIND server at home. I'm wanting to use this as a method to thwart DNS > Rebinding attacks. > > I've already got RPZ filtering out what IANA defines as Special Purpose IPv4 > addresses. But this does nothing to prevent rebinding to a different IP on > the globally routed Internet, or squatters that are re-using someone else's > IP space (i.e. ISP's abusing DoD IP space for CGN). > > > > -- > Grant. . . . > unix || die > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Enforcing minimum TTL...
Is there a way to enforce a minimum TTL? My initial searching indicated that ISC / BIND developers don't include a way to do so on a matter of principle. I'd like to enforce a minimum TTL of 5 minutes (300 seconds) on my private BIND server at home. I'm wanting to use this as a method to thwart DNS Rebinding attacks. I've already got RPZ filtering out what IANA defines as Special Purpose IPv4 addresses. But this does nothing to prevent rebinding to a different IP on the globally routed Internet, or squatters that are re-using someone else's IP space (i.e. ISP's abusing DoD IP space for CGN). -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 10/25/2018 06:26 PM, Lee wrote: If you're using those addresses internally it makes sense to filter them from 'outside'. That's what I thought. I play those games at times also :) So it sounds like what I was missing is that you like a challenge & are using more address space that I thought. Games are good learning opportunities. I don't know if I'm /using/ the address space per say or not. I do have 12 /24 non-globally routed networks that aren't from RFC 1918 address space. Mainly because I can and the address space makes it easy to do. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 10/25/18, Grant Taylor via bind-users wrote: > On 10/25/2018 03:25 PM, Lee wrote: > >> I'm missing what filtering out things like benchmarking & documentation >> network addrs gets you beyond maybe saving some bandwidth? > > I do use all sorts of IP ranges (test networks extensively) in my home / > lab networks. So I'd really rather external things not resolve to an > address that I may be using. But that's me being atypical. If you're using those addresses internally it makes sense to filter them from 'outside'. >> Same deal with using RPZ to block IPv4 BOGONs. What does RPZ blocking >> get you that you don't get by blocking them on your edge routers? > > Defense in depth. > > It's more of an exercise of can it be done. Read: Can I concoct > something that will receive feed from Team Cymru's BGP Bogon Rout Server > and turn it into an RPZ. I play those games at times also :) So it sounds like what I was missing is that you like a challenge & are using more address space that I thought. Regards, Lee ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forward zone
Hello, I'm new to this list, but I use BIND for quite some time. I have a machine running BIND which is authoritative for some domains I own and is the nameserver for my home network. Thus: - BIND answers to any query from my home network - BIND answers to queries from the whole planet Earth for the domains I own This is because: - in "options", I have (among others) allow-query { trusted; }; - in each domain zone I have allow-query { any; }; Today, I just set-up a new zone of type "forward" but I have trouble to make it work properly: - my home network is allowed to send queries because it is "trusted" - nobody from outside my home network is allowed to send queries because it is not "trusted" As you can't have "allow-query" in a zone of type "forward", I don't find any nice solution. The only solution I found is to allow queries from the whole planet Earth by changing "allow-query" in options to "any". But this is not recommended. I also though of using "views" but you can't have "options" in views. So I'm wondering if anybody would have a suggestion to open my "forward" zone to planet Earth ? Thanks in advance, Frédéric. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 2 Questions - forward zone and DNS firewalling
On 10/25/18 2:34 PM, N6Ghost wrote: I want to move a core namespace to the load balancer but i want them to let me assign them a new zone thats internally authoritative and use it as the LB domain. which would be: cname name.domain.com -> newname.newzone.domain.com they want: cname name.domain.com -> newname.oldzone.domain.com old zone is directly delagated from outside to them so we need an internal forward zone for it. i dont want to rely on that. Can I ask why you don't like forwarded zones? Is it a possibility to slave the zone off of them instead of forwarding to them? any thoughts on this? what can i use to present to management to win this? I think it comes down to pros and cons of each: existing zone + forwarders vs new zone. IMHO it's perfectly fine to have dislikes. You just need to be able to explain them and / or set them aside if someone explains their position better. next, we where a bind shop but switched to infoblox for some stuff and now out grew it. and are going back to bind. but we started using the dns firewall part of it and they actually really liked it. any ideas for domain blacklisting? via some sort of feed etc? what is everyone doing for that sort of thing? Response Policy Zone(s) are what you want. I thought that's how Infoblox did it themselves. Maybe they were using the newer Response Policy Service. - It's my understanding that the RPS API is open and documented. It's just that there aren't any Open Source / free RPS services. IMHO: RPS is similar to milter for Sendmail or WCCP for caching proxies. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 10/25/2018 03:25 PM, Lee wrote: I feel like I'm missing something :( I'll see if I can fill in below. I read this https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 and used RPZ to block anything coming from outside that might be an internal address. I'll read that and reply later if I feel it's warranted. I'm missing what filtering out things like benchmarking & documentation network addrs gets you beyond maybe saving some bandwidth? Probably not much for most people. I do use all sorts of IP ranges (test networks extensively) in my home / lab networks. So I'd really rather external things not resolve to an address that I may be using. But that's me being atypical. Same deal with using RPZ to block IPv4 BOGONs. What does RPZ blocking get you that you don't get by blocking them on your edge routers? Defense in depth. It's more of an exercise of can it be done. Read: Can I concoct something that will receive feed from Team Cymru's BGP Bogon Rout Server and turn it into an RPZ. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 10/24/18, Grant Taylor via bind-users wrote: > On 08/09/2018 01:01 AM, Lee wrote: >> it does, so you have to flag your local zones as rpz-passthru. > > Thank you again Lee. You gave me exactly what I needed and wanted to know. you're welcome :) > I finally got around to configuring my RPZ to filter IPv4 > Special-Purpose Address Registry as per IANA's definition. > (https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#iana-ipv4-special-registry-1) > > I am also happily using rpz-passthru for my local domain(s) that resolve > to filtered IPs. > > Now I'm pontificating augmenting my RPZ to also filter replies that > resolve to IPv4 BOGONs. (Received via BGP feed with Team Cymru.) I feel like I'm missing something :( I read this https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 and used RPZ to block anything coming from outside that might be an internal address. I'm missing what filtering out things like benchmarking & documentation network addrs gets you beyond maybe saving some bandwidth? Same deal with using RPZ to block IPv4 BOGONs. What does RPZ blocking get you that you don't get by blocking them on your edge routers? Thanks, Lee ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
2 Questions - forward zone and DNS firewalling
Hi All, have two questions first, I am not a huge fan of using forwarding zones and our "load balancing" team, has there zone delegated to them in a way that needs an internal forward zone to work properly on the inside and not rely on on internet POP. I want to move a core namespace to the load balancer but i want them to let me assign them a new zone thats internally authoritative and use it as the LB domain. which would be: cname name.domain.com -> newname.newzone.domain.com they want: cname name.domain.com -> newname.oldzone.domain.com old zone is directly delagated from outside to them so we need an internal forward zone for it. i dont want to rely on that. any thoughts on this? what can i use to present to management to win this? next, we where a bind shop but switched to infoblox for some stuff and now out grew it. and are going back to bind. but we started using the dns firewall part of it and they actually really liked it. any ideas for domain blacklisting? via some sort of feed etc? what is everyone doing for that sort of thing? thanks -N6Ghost ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about visibility
Hi there, On Thu, 25 Oct 2018, Grant Taylor wrote: On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote: A server on a non-standard port is often neglected.? Its security may be less well maintained than one that is intentionally public. Why and how do you make that correlation? Years of customers (including a major motor vehicle manufacturer) who said "The guy that set all this up has left." and "We don't know what happened to the disc.", and "Oh, we'd forgotten about that one." and... Are you implying that some people think that because they've taken one step (moving the port) they may think that they don't need to take other steps (updating)? ... No, that was not what I meant to imply at all. I've always found that moving the port is one of many steps done to improve security. As was mentioned by other earlier in the thread. No argument there, I do that too - especially for ssh and VPN connections. But you'd likely have poor results with a nameserver. :) The more important steps being stay up to date. That being the problem. The |guy left|...|forgotten about it| means that unless the updating is automatic (and still working - unlikely, even if it was once) then you more or less have a ticking time-bomb. Mostly off-topic for this list though. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users