Re: Implementing the bogon list
Hi, EMARKETINGHYPE :) You still haven't specified what exactly you want to implement. ACLs? Empty zones for things that should not resolve? Something else? And more importantly, what is the _reason_ you're trying to do what you're trying to do? Heh :-) Sure didn't mean that, but guess that's how it sounded :-) I think primarily my interest is with integration with postfix and email. Anything that I can do to reduce the amount of processing required would help. I'm also just generally interested in learning about it. At the same time, I do understand that it doesn't do much good to spoof an email that you'd like to actually have received, since it's TCP, so I'm not sure how it applies. I still have to figure that out :-) Yes, that's why the zone transfer idea was so compelling to me, or perhaps even a once-monthly rsync of the config file? This is where I continue to be confused. I have no idea what a zone transfer would accomplish in this context. I understood that you could download the latest bogon list by querying the zone: http://www.team-cymru.org/Services/Bogons/#dns It seems from other posts that you want to implement ACLs of some sort related to bogons. My suggestion is that unless you have a really clear idea of a specific security goal that will be served by doing this that you don't do it. I guess I understand that the primary use is to prohibit internal networks from leaving the organization and some rogue external bogus network from entering as it relates to routing and networking in general, but I also thought it somehow related to SMTP, and that's what I'd like to make sure. Thanks so much. Best regards, Alex ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
I think that's really designed for router ACL's. Most reliable method might be to subscribe to their BGP feed. I'm not sure what you'd do with regards to BIND or even why you'd want to handle it there. . On Fri, Apr 9, 2010 at 1:27 PM, Alex mysqlstud...@gmail.com wrote: Hi, I'm interested in implementing an updated Cymru bogon list, but would like some examples on how best to do this. Much of my searching has resulted in old configurations that weren't complete and seemed to contain errors. Where is the best place to go to find a template on how best to do this? I understand it's a combination of creating a zone with the IP ranges in an ACL, but which IPs should actually go in that ACL? There is a list of four or five different sets here: http://www.cymru.com/Documents/bogon-dd.html Is there an actual zone file with the contents of these IPs, or is it all implemented by listing them in the ACL in named.conf? Once I've implemented it in bind, could it then be used somehow at smtp connect time to reject spoofed connections? How exactly do you use it? Thanks, Alex ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
On 04/09/10 13:27, Alex wrote: Hi, I'm interested in implementing an updated Cymru bogon list, Why don't you take a step back and let us know what you're trying to accomplish first. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
On 09.04.2010, at 22:32, Bryan Irvine wrote:
I think that's really designed for router ACL's.
Not exclusively, hence http://www.cymru.com/Documents/secure-bind-template.html
I'm not sure what you'd do with regards to BIND or even why you'd want
to handle it there.
Well, for example for a recursive nameserver it pays performancewise
if BIND (or any other recursive nameserver) does not need to go out to
the world an try to reach 192.168.0.1 just because some idiot chose
this IP as his IN NS for some subdomain.
Alex,
you'll find the aggregated version of the bogon list at
http://www.cymru.com/Documents/bogon-bn-agg.txt
options {
blackhole {
# echo bogons |perl -nle 'print \t\t$_;;'
0.0.0.0/8;
5.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
31.0.0.0/8;
36.0.0.0/7;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
100.0.0.0/6;
104.0.0.0/7;
106.0.0.0/8;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
176.0.0.0/7;
179.0.0.0/8;
181.0.0.0/8;
185.0.0.0/8;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/3;
}
}
Stefan
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
Date: Fri, 9 Apr 2010 16:27:38 -0400 From: Alex mysqlstud...@gmail.com Sender: bind-users-bounces+oberman=es@lists.isc.org Hi, I'm interested in implementing an updated Cymru bogon list, but would like some examples on how best to do this. Much of my searching has resulted in old configurations that weren't complete and seemed to contain errors. Where is the best place to go to find a template on how best to do this? I understand it's a combination of creating a zone with the IP ranges in an ACL, but which IPs should actually go in that ACL? There is a list of four or five different sets here: http://www.cymru.com/Documents/bogon-dd.html Is there an actual zone file with the contents of these IPs, or is it all implemented by listing them in the ACL in named.conf? Once I've implemented it in bind, could it then be used somehow at smtp connect time to reject spoofed connections? How exactly do you use it? The FreeBSD default configuration does this, though it does not include unassigned space as it will get assigned soon. You can see the config at: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/etc/namedb/named.conf?rev=1.31;content-type=text%2Fplain You can add the unassigned space to those fairly easily, but make sure that you update it as space is assigned. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
On 04/09/10 14:23, Kevin Oberman wrote: The FreeBSD default configuration does this, Let's be clear on what this is please, since I don't think the OP's post was clear about what he wanted to implement. :) The default named.conf for FreeBSD implements local, empty zones for various things that should not be live on the Internet. I started with http://tools.ietf.org/html/draft-ietf-dnsop-default-local-zones and expanded the list to include other things referenced in RFCs. The goal is to provide fast local resolution for answers that should not be sent out to the Internet anyway. A pleasant side effect is that it reduces the amount of garbage queries received by the roots, etc. though it does not include unassigned space as it will get assigned soon. That's a conscious choice, given the historical problems with admins not keeping such lists up to date. OTOH I think that the included examples give an interested admin more than enough information to do that on her own, if desired. In any case, I welcome comments and suggestions on improving this config. You can see the config at: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/etc/namedb/named.conf?rev=1.31;content-type=text%2Fplain You can add the unassigned space to those fairly easily, but make sure that you update it as space is assigned. Yes, this is worth saying again, and I agree with it (again). :) Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
On Fri, Apr 09, 2010 at 11:41:09PM -0400, Alex wrote: ... Ah,. I was expecting it to be a lot more involved than that, I guess. ... It is. Do not expect to implement ANYTHING involving a bogon list without it requiring CONSTANT MAINTENANCE. The Bogon list as it is today has shrunk greatly from what it started out with. IPv4 addresses are constantly being allocated off, requiring that they be removed from the Bogon list. Many years ago a network on which I'm still working was allocated a set of IP addresses that was STILL [due to clerical oversight] on the Bogon list. Too many were still blocking it even after it came off that list. To this VERY DAY there are people blocking it who will not update their lists. I strongly recommend that anyone wanting some degree of security use look at the lists of IPv4 networks in RFC 5735/6/7 and the list of IPv6 networks in RFC 5156. Decide which of those networks you want to block or blackhole. For any other networks, you may want to do something that flags you if they appear on either part of a query. But, for the love of all that may be holy in DNS, do NOT NOT NOT blackhole a network that is in the bogon list just because it is not YET allocated! -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
On Sat, Apr 10, 2010 at 01:08:16AM -0400, Joseph S D Yao wrote:
...
I strongly recommend that anyone wanting some degree of security use
look at the lists of IPv4 networks in RFC 5735/6/7 and the list of IPv6
networks in RFC 5156. Decide which of those networks you want to block
or blackhole.
...
OBTW, glancing around the Web on the Internet, it looks like a lot of
folks don't realize that option { blackhole{} } cuts both ways. Nobody
can query from those IP addresses, but you can't query into those IP
addresses. I saw a serious proposal to blackhole the root IP addresses
so that queries to the root might be reduced - presumably on a recursive
resolver.
--
/*\
**
** Joe Yao j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Implementing the bogon list
On 04/09/10 20:50, Alex wrote: Hi, Let's be clear on what this is please, since I don't think the OP's post was clear about what he wanted to implement. :) I'm really interested in security, reducing resources, and making sure the server is current with today's standards. I'd like to make sure it's properly set up and there aren't any configuration errors and that anything I can do to improve it's overall performance is being done. EMARKETINGHYPE :) You still haven't specified what exactly you want to implement. ACLs? Empty zones for things that should not resolve? Something else? And more importantly, what is the _reason_ you're trying to do what you're trying to do? In any case, I welcome comments and suggestions on improving this config. You can see the config at: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/etc/namedb/named.conf?rev=1.31;content-type=text%2Fplain It's very good, but I think it also depends on what you're trying to achieve. My point exactly. :) Your suggestions were all good, but go well beyond the goal of good default configuration for a local resolver with some basic guidance on other common tasks. I'm not aiming for a comprehensive DNS howto in the conf file. You can add the unassigned space to those fairly easily, but make sure that you update it as space is assigned. Yes, this is worth saying again, and I agree with it (again). :) Yes, that's why the zone transfer idea was so compelling to me, or perhaps even a once-monthly rsync of the config file? This is where I continue to be confused. I have no idea what a zone transfer would accomplish in this context. It seems from other posts that you want to implement ACLs of some sort related to bogons. My suggestion is that unless you have a really clear idea of a specific security goal that will be served by doing this that you don't do it. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
