Re: DNS Queries Using API - BIND9

2020-05-11 Thread Vadim Pavlov via bind-users 
If your users has admins permissions you probably will not find any open source 
tool which support that. For restricted accounts on Win - create policies.

BR,
Vadim
> On May 10, 2020, at 23:52, Blason R  wrote:
> 
> Thats a nice starting point -
> 
> https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/ 
> <https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/> 
> 
> But still looking for any client utility so that users can not shutdown or 
> can not suspend the service
> 
> On Mon, May 11, 2020 at 12:18 PM Blason R  <mailto:blaso...@gmail.com>> wrote:
> Hmm- Any docs on configuring DOH Proxy? 
> 
> On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann 
> mailto:daniel.stirnim...@switch.ch>> wrote:
> 
> 
> On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
> > The main issue that bind does’t provide an authentication method. So in
> > any case you somehow should manage the access to the DNS server vice
> > versa it will became open resolver and will be used for DDoS attacks.
> 
> If you were to use DoH, you could use Basic Authentication. The DoH URL
> you could configure on your client systems could be something like this:
> 
> https://username:passw...@doh.example.com/dns-query 
> <https://username:passw...@doh.example.com/dns-query>
> 
> 
> Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Queries Using API - BIND9

2020-05-11 Thread Vadim Pavlov via bind-users 
Good idea. It may work. I’m using Intra for 1.5 years (with my DNS) and 
actually didn’t try it likely my DoH “old” proxy probably doesn’t support it. 
With nginx it should be possible if these open source clients support it.
For Win/Mac/Linux there should be some open source DoH clients (backup will be 
using it just in browsers).

Vadim
> On May 10, 2020, at 23:26, Daniel Stirnimann  
> wrote:
> 
> 
> 
> On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
>> The main issue that bind does’t provide an authentication method. So in
>> any case you somehow should manage the access to the DNS server vice
>> versa it will became open resolver and will be used for DDoS attacks.
> 
> If you were to use DoH, you could use Basic Authentication. The DoH URL
> you could configure on your client systems could be something like this:
> 
> https://username:passw...@doh.example.com/dns-query
> 
> 
> Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Queries Using API - BIND9

2020-05-11 Thread Vadim Pavlov via bind-users 
Hi Blason,

There are open source clients for iOS (DNSCloak) and Android (Intra) which use 
DoH (you will need to install a DoH proxy) but I’m not aware about free clients 
for Mac/Windows/Linux (may be because they have embedded clients which can be 
configured to use any 3rd party DNS :). 
The main issue that bind does’t provide an authentication method. So in any 
case you somehow should manage the access to the DNS server vice versa it will 
became open resolver and will be used for DDoS attacks.

I would recommend you a few options here:
- Use a trial for any “paid” solutions. E.g. Infoblox offers 90 days free trial 
- i may be enough to pass the WFH stage;
- Require VPN back to your HQ and provision to automatically establish them;
- Install bind on these laptops and push RPZ feeds directly to them (zone 
transfer can be authenticated by using TSIG Keys). You may see issues if the 
feeds size  >1m rules.
- Provide your employees VMs (if they have servers a home) or even Raspberry Pi 
to protect the whole home network (actually it is important). On my ioc2rpz 
community (https://ioc2rpz.net ) you can take a look on 
RpiDNS installation script. It installs ICS Bind and provision my community RPZ 
feeds (you may replace it by your feeds), OpenResty for admin interface and a 
walled garden page + provision RSyslog. On Raspberry Pi Zero the installation 
takes about 10 minutes (demo video - 
https://www.youtube.com/watch?time_continue=2=942yKOGAwbU=emb_logo 
).


BR,
Vadim
> On May 10, 2020, at 21:14, Blason R  wrote:
> 
> Hi Folks,
> 
> I am seeking solution for our below problem and wanted to know if any open 
> source option can help us here?
> We have our internal DNS RPZ firewall built on BIND9. Due to the current 
> situation since all users are working from home we are not able to route 
> their queries to internal DNS servers. Well, when they are on VPN definitely 
> queries are then passed through internal DNS server but they left open when 
> not connected to VPN.
> 
> Is there any solution using -
> API by which we can route the queries for user who are on Internet
> Or any client utility which can be installed on user's desktop/laptop where 
> we can embed our BIND RPZ server and then route the queries to internal one 
> using NAT?
> Or any other alternative community can suggest?
> 
> This is just like Cisco Umbrella or any other Paid DNS firewall solutions but 
> seeking if we can have any open source option?
> 
> Thanks & Regards
> Blason R
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS RPZ Protection From DoH

2019-10-02 Thread Vadim Pavlov via bind-users 
You didn’t get the sarcasm in the previous email :)
The issue is that you can not 100% block DoH w/o blocking HTTPs. You may block 
well-known domains and IPs but there are many unknown and for targeted attacks 
new servers can be created even behind legit (but compromised) websites. 

Vadim
> On Oct 2, 2019, at 10:04, Blason R  wrote:
> 
> Block 443? Not even possible since most of the portals/web servers now a days 
> works on TCP/443
> 
> On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg  > wrote:
> On 10/2/19 8:00 AM, Blason R wrote:
> > Hmm that is a good idea to block the DOH queries but what I understood
> > is blocking on perimeter level would be more appropriate.
> 
> To nullify the abilities of DoH, you can block port TCP/443.
> 
> That is pretty much guaranteed to keep DoH from working, but you may
> want to test this solution in the lab before you deploy widely.
> 
> This method of controlling DoH may have side-effects.
> 
> AlanC
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
>  to unsubscribe from this 
> list
> 
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rpz using a forward zone

2019-06-05 Thread Vadim Pavlov via bind-users 
You can spin up a separate instance of bind (or use my opensource ioc2rpz dns 
server) to feed (via a zone transfer) the modified zone to your older bind 
instance.

Vadim

> On Jun 5, 2019, at 13:04, Mike Woods  wrote:
> 
> I was afraid that would be the answer, time to try some other solutions 
> then.
> 
> Thanks.
> 
> On 05/06/2019 12:03, Tony Finch wrote:
>> Mike Woods  wrote:
>>> 
>>> So, the long and short of things, is it actually possible to point the
>>> response policy at a forward zone
>> 
>> No, the RPZ zone file has to be present on the resolver. The RPZ is parsed
>> into a special fast lookup data structure so that policies can be applied
>> efficiently.
>> 
>> Tony.
>> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Saurabh: Want to exclude the MX Record from my RPZ Configuration.

2018-09-06 Thread Vadim Pavlov via bind-users 
You can not accomplish that task using RPZ. It doesn't allow to 
substitute/block a specific record and bypass others.

Vadim
> On 06 Sep 2018, at 22:24, Saurabh Srivastava  wrote:
> 
> Dear Bind-Users, 
> 
> Greetings of the Day!!!
> 
> I have stuck at one place in my DNS RPZ.
> I want to exclude the MX Record for any domain in my RPZ Configration.
> I only want to keep the A Record of any domain but want to exclude the MX 
> Record of that domain.
> Can you please help me out to achieve this?
> Means, in configuration, is it possible to exclude the MX Record of any 
> domain?
> Please hep me out in this regard.
> 
> Thanks,
> Saurabh 
> Thanks & Regards,
> 
> Saurabh
> Email: jp.saur...@gmail.com    
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Vadim Pavlov via bind-users 
Should be:

response-policy {zone "whitelist.allow" policy passthru;
zone "malware.trap";
zone "ransomwareips.block";
} qname-wait-recurse no break-dnssec no;

Vadim
> On 09 Aug 2018, at 20:50, Blason R  wrote:
> 
> This is the error I am getting
> 
> /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'
> 
> On Fri, Aug 10, 2018 at 9:10 AM Blason R  > wrote:
> Hi there,
> 
> Where it should appear? ARM says it should appear inl Global-section of 
> response-policy which I tried but getting error.
> 
> response-policy {zone "whitelist.allow" policy passthru;
> zone "malware.trap";
> zone "ransomwareips.block";
> };
> qname-wait-recurse no;
> break-dnssec no;
> 
> 
> On Fri, Aug 10, 2018 at 8:09 AM Blason R  > wrote:
> Well mine is bit different. I have RPZ and almost 40+ RPZ entries wall 
> gardened. And in my scenario users are talking to windows based AD/DNS server 
> and then that server has forwarder set to RPZ.
> 
> First issue; I observed certain entries from BIND/RPZ zone are being resolved 
> by windows server directly to their original IPs and not the wall-gardened 
> IP. Where I believe once the forwarder is set all those queries should have 
> been routed to RPZ server? [If anyone here having Windows DNS expertise, pls 
> help]
> And another, certain RPZ queries if queried through AD/DNS server are not at 
> all getting resolved. When I captured packets on BIND/RPZ server I see that 
> those domains are getting NXdomain by RPZ and not sure why.
> Thanks and Regards,
> Lionel F
> 
> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold  > wrote:
> 
> On Thu, Aug 9, 2018 at 9:31 AM Blason R  > wrote:
> For example this one.
> 
> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 
> 0351dag.com . (29)
> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 
> 0/1/0 (102)
> 
> With RPZ, the name is looked up normally first, and only if there is an 
> answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that 
> and does not use RPZ.
> If that is not what you want, then you probably want to set the option:
> qname-wait-recurse no;
> 
> -- 
> Bob Harold
> 
> 
>  
> 
> On Thu, Aug 9, 2018 at 6:59 PM Blason R  > wrote:
> Hi Bind-Users,
> 
> I would really appreciate if someone can help me understanding my issue with 
> BIND RPZ server?
> 
> I have one windows server say 192.168.1.42 and then RPZ server with 
> 192.168.1.179. I noticed that there are certain domains which are not getting 
> resolved from end users. 
> 
> Ideally since those end user has 192.168.1.42 DNS Server set and has 
> forwarder set to 192.168.1.179 should forward all queries to 1.179, right?
> 
> But certain domains from my response-policy are even though wall-gardened 
> those are being catered as NXdomain.
> 
> Anything I am missing pertaining to RPZ?
> 
> Or if I am querying all those domains directly to RPZ server then I am 
> getting proper answer. This issue is noticed when I have forwarder server is 
> between
> 
> options {
> version "test";
> allow-query { localhost;subnets; };
> directory "/var/cache/bind";
> recursion yes;
> querylog yes;
> forwarders {
> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
>  };
> //  dnssec-validation auto;
> request-ixfr yes;
> auth-nxdomain no;# conform to RFC1035
> //  listen-on-v6 { any; };
> listen-on port 53 { any; };
> listen-on port 15455 {any;};
> response-policy { zone "whitelist.allow" policy passthru;
> zone "wg.block";
> zone "bad.trap";
> zone "block.tld";
> zone "ransomwareips.block";  };
> };
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about BIND and RPZ

2018-08-04 Thread Vadim Pavlov via bind-users 
Sorry for confusion. I thought that you have access to the RPZ feeds. You can 
not trigger an RPZ rule by the recursion bit. 
You should contact to your DNS provider and ask them instead of NXDOMAIN 
provide you a different response which you can be used to trigger RPZ on your 
Bind (e.g. unused IP) or even better just send you a redirect to  WG page.

Vadim
> On 04 Aug 2018, at 09:42, Felipe Arturo Polanco  
> wrote:
> 
> Hi Vadim,
> 
> Thanks for the response, 
> 
> How will that zone policy differentiate between responses with the 'recursion 
> available' bit set and unset? 
> 
> I do not have the list of malware sites, the DNS provider does not share it. 
> 
> Also I'm no expert with BIND so pardon any outside question. 
> 
> 
> On Sat, Aug 4, 2018, 12:27 PM Vadim Pavlov  > wrote:
> Hi Felipe,
> 
> You do need to do that. You may configure redirect action on a zone level. 
> Just add "policy cname domain"
> 
>   [ response-policy {
> zone zone_name
>   [ policy ( given | disabled | passthru | drop |
>  tcp-only | nxdomain | nodata | cname domain ) ]
>   [ recursive-only yes_or_no ]
>   [ max-policy-ttl number ] ;
>  ...
> }
> 
> E.g. 
> response-policy {zone "badlist" cname www.wgarden.com 
> ;};
> 
> BR,
> Vadim
>> On 04 Aug 2018, at 06:52, Felipe Arturo Polanco > > wrote:
>> 
>> Hi,
>> 
>> I have a question regarding BIND and its RPZ functionality.
>> 
>> We are using a DNS provider that blocks malware by returning an NXDOMAIN 
>> response back whenever a match is found.
>> 
>> The way they differentiate between real non-existent websites vs malware 
>> sites is by turning off the 'recursion available' bit in the NXDOMAIN 
>> response, non-existent sites do have this bit turned on.
>> 
>> Is there a way to match this flag in an RPZ policy to redirect malware sites 
>> response to a wall garden website while not matching real non-existent 
>> websites?
>> 
>> Thanks,
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
>>  to unsubscribe from this 
>> list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users 
>> 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about BIND and RPZ

2018-08-04 Thread Vadim Pavlov via bind-users 
Hi Felipe,

You do need to do that. You may configure redirect action on a zone level. Just 
add "policy cname domain"

  [ response-policy {
zone zone_name
  [ policy ( given | disabled | passthru | drop |
 tcp-only | nxdomain | nodata | cname domain ) ]
  [ recursive-only yes_or_no ]
  [ max-policy-ttl number ] ;
 ...
}

E.g. 
response-policy {zone "badlist" cname www.wgarden.com;};

BR,
Vadim
> On 04 Aug 2018, at 06:52, Felipe Arturo Polanco  
> wrote:
> 
> Hi,
> 
> I have a question regarding BIND and its RPZ functionality.
> 
> We are using a DNS provider that blocks malware by returning an NXDOMAIN 
> response back whenever a match is found.
> 
> The way they differentiate between real non-existent websites vs malware 
> sites is by turning off the 'recursion available' bit in the NXDOMAIN 
> response, non-existent sites do have this bit turned on.
> 
> Is there a way to match this flag in an RPZ policy to redirect malware sites 
> response to a wall garden website while not matching real non-existent 
> websites?
> 
> Thanks,
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Data exfiltration using DNS RPZ

2018-06-17 Thread Vadim Pavlov via bind-users 
Just to be more clear. DNSSEC records can contain any content and can be used 
for infiltration/tunneling. 
E.g. If you request DNSKEY record (you can encode your request in fqdn) you 
will get it exactly "as is". Intermediate DNS servers do not validate the 
records.
So instead of "standard/usual" TXT records you can use DNSKEY to pass data from 
a DNS remote server.

Vadim
> On 17 Jun 2018, at 10:07, Grant Taylor via bind-users 
>  wrote:
> 
> On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote:
>> DNSSEC can be used for infiltration/tunneling (when you get data from a DNS 
>> servers) but there is a catch that such requests can be easily dropped.
> 
> Will you please elaborate and provide a high level overview of how DNSSEC can 
> be used for infiltration or tunneling?
> 
> It is my understanding that DNSSEC is just a cryptographic hash that clients 
> can verify by calculating their own hash over the results for the same query. 
>  As such, nothing is actually hidden.  1) You know the outbound query, 2) you 
> know the inbound reply + DNSSEC signature, 3) you know the algorithm used to 
> generate the hash, and 4) you validate the DNSSEC signature.  So, what about 
> that is hidden?
> 
> I fail to see how DNSSEC can be a covert channel, even if there is 
> manipulation in what key is used.  Unless you're expiring & modifying the ZSK 
> about once a second so that you can change things and try to hide using 
> something like steganography.  Even then, I'm not sure how well that would 
> work.
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Data exfiltration using DNS RPZ

2018-06-17 Thread Vadim Pavlov via bind-users 
DNSSEC can be used for infiltration/tunneling (when you get data from a DNS 
servers) but there is a catch that such requests can be easily dropped.

Vadim
> On 17 Jun 2018, at 09:44, Sten Carlsen  wrote:
> 
> Interesting, the Dnssec records with their by definition random and large 
> content seems to be the most interesting vehicle, at least at first sight.
> 
> Will e.g. the google DNS server or any other resolver deliver and fetch this 
> data? At the moment I can't think of any reason it should not do so.
> 
> To really block this, I think you would need to actually verify the 
> correctness of the data.
> 
> On 17-06-2018 08.43, Blason R wrote:
>> Hi Team,
>> 
>> Can someone please guide if DNS exfiltration techniques can be identified 
>> using DNS RPZ? Or do I need to install any other third party tool like IDS 
>> to identify the the DNS beacon channels.
>> 
>> Has anyone used DNS RPZ to block/detect data exfiltration?
>> 
>> 
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
>>  to unsubscribe from this 
>> list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users 
>> 
> 
> -- 
> Best regards
> 
> Sten Carlsen
> 
> No improvements come from shouting:
> 
> "MALE BOVINE MANURE!!!" 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Data exfiltration using DNS RPZ

2018-06-17 Thread Vadim Pavlov via bind-users 
Hi,

RPZ is just a simple feature to block/log/redirect DNS requests. It doesn't 
analyse DNS requests & responses and a client behaviour.
So RPZ can block a domain which used for DNS Exfil/Infil/Tunneling but to 
detect Exfiltration you should to use 3rd party tools/software (e.g. Infoblox 
Threat Insight).
+ do not forget that "qname-wait-recurse" should be switched off and a RPZ with 
such domains must be before (e.g. first) by order any zone which contains IP/NS 
based rules.

Vadim
> On 17 Jun 2018, at 08:43, Blason R  wrote:
> 
> Hi Team,
> 
> Can someone please guide if DNS exfiltration techniques can be identified 
> using DNS RPZ? Or do I need to install any other third party tool like IDS to 
> identify the the DNS beacon channels.
> 
> Has anyone used DNS RPZ to block/detect data exfiltration?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Building Geo Map using Queries

2018-06-09 Thread Vadim Pavlov via bind-users 
Nope. YMMV depending on your requirements.

I did it a while ago but I've just parsed the query logs with my script and 
stored logs in MySQL + used google maps to show it ( http://dnsstat.ipvm.biz/ 
 and a funny video: https://youtu.be/mI1p0VjalT ). 
I needed more details so I've used "whois" + RIPE DB.

AFAIK Splunk (even with free tier) provides such ability. You may use some 
other providers like DomainTools as well. 

Vadim
> On 10 Jun 2018, at 08:15, Blason R  wrote:
> 
> Thanks! 
> 
> Any particular use case or configuration you would like to suggest?
> 
> 
> On Sun, Jun 10, 2018 at 10:25 AM Vadim Pavlov  > wrote:
> Hi Blason,
> 
> You can use MaxMind GeoIP DB and enrich logs with data you need.
> 
> Vadim
> > On 09 Jun 2018, at 17:33, Blason R  > > wrote:
> > 
> > Hi There,
> > 
> > I have DNS RPZ server runnnig and have configured logstatsh on the same to 
> > parse the DNS RPZ logs. 
> > 
> > My requirement is I need to build Geo Map basis on the DNS responses; Any 
> > idea how can that be achieved? Or need to know the requests made from which 
> > country and any other idea community can suggest?
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users 
> >  to unsubscribe from 
> > this list
> > 
> > bind-users mailing list
> > bind-users@lists.isc.org 
> > https://lists.isc.org/mailman/listinfo/bind-users 
> > 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Building Geo Map using Queries

2018-06-09 Thread Vadim Pavlov via bind-users 
Hi Blason,

You can use MaxMind GeoIP DB and enrich logs with data you need.

Vadim
> On 09 Jun 2018, at 17:33, Blason R  wrote:
> 
> Hi There,
> 
> I have DNS RPZ server runnnig and have configured logstatsh on the same to 
> parse the DNS RPZ logs. 
> 
> My requirement is I need to build Geo Map basis on the DNS responses; Any 
> idea how can that be achieved? Or need to know the requests made from which 
> country and any other idea community can suggest?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users