Re: RPZ for reverse lookups ?

2019-08-25 Thread m3047 

Clarification on what DNS is...

On Sun, 25 Aug 2019, m3047 wrote:

On Sat, 24 Aug 2019, J Doe wrote:

 [...] Is it possible to re-write a response on a reverse lookup ?  For
 instance, if I considered example.com a “bad domain”, can I write a RPZ
 policy so that a reverse lookup of IP’s that map to example.com fails or

   

 is blocked ?
 [...]

proposed actions local in scope? Do you run a local passive DNS oracle?)


Strictly speaking, in DNS-speak the "reverse lookup of an IP..." is a PTR 
lookup. The "reverse lookup of an IP mapping to example.com" is doing a 
PTR lookup and matching it against example.com. I could be wrong 
generally, but at least none of the RPZ features which I use generate 
additional DNS traffic; an RPZ implementation which did would exceed my 
personal threshold of least surprise.


You might consider taking discussion of this to the RPZ interest list or 
searching the archives: http://lists.redbarn.org/mailman/listinfo/dnsfirewalls


--

Fred Morris___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ for reverse lookups ?

2019-08-25 Thread m3047 

Yes. See below.

Another respondent expresses concerns about the danger of IP address 
blocking. The RPZ implementation (in BIND) includes options for setting 
triggers on the address returned with A and  RRs (rpz-ip) and 
nameserver address (nsip). These kinds of actions are functionally 
distinct from triggers based on the query name.


On Sat, 24 Aug 2019, J Doe wrote:
[...] Is it possible to re-write a response on a reverse lookup ?  For 
instance, if I considered example.com a “bad domain”, can I write a RPZ 
policy so that a reverse lookup of IP’s that map to example.com fails or 
is blocked ?


I know I can do this with a forward lookup to generate NXDOMAIN:

; Forward resolution of: example.com and subdomains generates: NXDOMAIN

example.comIN CNAME .
*.example.com  IN CNAME .


I have to wonder what led us here and why it's so important to generate 
NXDOMAIN. There are plenty of ways to disrupt as well as out and out block 
access to an IP address which don't require resorting to DNS tricks, such 
as using a firewall, but let's see what we can do.


I suspect if you wanted to block an IP address, that rpz-ip is what you're 
looking for.


What you've got above prevents example.com from resolving to any address. 
So where did the address come from? Are you sure the evidence chain 
involves example.com and not something else (correctly or incorrectly) 
resolving to that address, or someone outright lying? Why would you assume 
that? (And as the other prior respondent points out, it has risks. Are the 
impacts of your proposed actions local in scope? Do you run a local 
passive DNS oracle?)


Let's say that example.com resolves to 10.9.8.7. In that case "dig -x 
10.9.8.7" will generate a query for 7.8.9.19.in-addr.arpa PTR records. A 
record like


7.8.9.10.in-addr.arpa CNAME .

will generate NXDOMAIN in response to that query. You could be more 
explicit:


7.8.9.10.in-addr.arpa PTR block.this.

If you were doing spam scoring based on the feature "does the FQDN the MTA 
declares as its identity match a reverse lookup on its address", either 
one of these would potentially fail. NXDOMAIN is generally an implied fail 
however, and could be due to infrastructure failures distinct and separate 
from imputed conduct; whereas the feature "anything that a reverse lookup 
resolves to block.this should be blocked" is explicit (and unambiguous 
until the .this TLD launches).


--

Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users