RPZ for reverse lookups ?
m3047
m3047 at m3047.net
Sun Aug 25 16:01:06 UTC 2019
Yes. See below.
Another respondent expresses concerns about the danger of IP address
blocking. The RPZ implementation (in BIND) includes options for setting
triggers on the address returned with A and AAAA RRs (rpz-ip) and
nameserver address (nsip). These kinds of actions are functionally
distinct from triggers based on the query name.
On Sat, 24 Aug 2019, J Doe wrote:
> [...] Is it possible to re-write a response on a reverse lookup ? For
> instance, if I considered example.com a “bad domain”, can I write a RPZ
> policy so that a reverse lookup of IP’s that map to example.com fails or
> is blocked ?
>
> I know I can do this with a forward lookup to generate NXDOMAIN:
>
> ; Forward resolution of: example.com and subdomains generates: NXDOMAIN
>
> example.com IN CNAME .
> *.example.com IN CNAME .
I have to wonder what led us here and why it's so important to generate
NXDOMAIN. There are plenty of ways to disrupt as well as out and out block
access to an IP address which don't require resorting to DNS tricks, such
as using a firewall, but let's see what we can do.
I suspect if you wanted to block an IP address, that rpz-ip is what you're
looking for.
What you've got above prevents example.com from resolving to any address.
So where did the address come from? Are you sure the evidence chain
involves example.com and not something else (correctly or incorrectly)
resolving to that address, or someone outright lying? Why would you assume
that? (And as the other prior respondent points out, it has risks. Are the
impacts of your proposed actions local in scope? Do you run a local
passive DNS oracle?)
Let's say that example.com resolves to 10.9.8.7. In that case "dig -x
10.9.8.7" will generate a query for 7.8.9.19.in-addr.arpa PTR records. A
record like
7.8.9.10.in-addr.arpa CNAME .
will generate NXDOMAIN in response to that query. You could be more
explicit:
7.8.9.10.in-addr.arpa PTR block.this.
If you were doing spam scoring based on the feature "does the FQDN the MTA
declares as its identity match a reverse lookup on its address", either
one of these would potentially fail. NXDOMAIN is generally an implied fail
however, and could be due to infrastructure failures distinct and separate
from imputed conduct; whereas the feature "anything that a reverse lookup
resolves to block.this should be blocked" is explicit (and unambiguous
until the .this TLD launches).
--
Fred Morris
More information about the bind-users
mailing list