idea about forging dns data
Kevin Darcy
kcd at daimlerchrysler.com
Wed Aug 31 23:04:37 UTC 2005
Tim Peiffer wrote:
>Without discussing the morality issues, the need to locally kill or
>poison a DNS entry is real. We periodically create a local entry for a
>single machine or sometimes a domain for which an IRC botnet controller
>is using the nefarious domain to indicate a machine to DDOS. We handle
>this as if we are authoritative for any one asking us. If you do not
>serve anything outside of your network, i.e, no public DNS service, this
>works well. Currently the poison, wildcards everything in the domain to
>127.0.0.1. The reach of the poison extends to the boundary of our
>company and no further.
>
>Case in point:
> Look at your DNS query transactions for wallloan.com, legi0n.net,
>turkcoders.net, and is-a-fag.net.
>The machines making requests about the above domains are infected with
>various worm and botnet
>controllers.
>
>We plan on changing the wildcards to loopback to IP addresses in our
>local domain into IP addresses that represent URLS indicating 'You are
>seeing this web page because you have been hacked', 'You are seeing this
>page because you have XXX worm.', 'Please see OIT Security - ', so that
>we can inform the customers
>that they either have something seriously wrong with their machines. If
>you were of a mind to legislate morality or policy, you could do that in
>this manner as well.
>
Things are easier, of course, when all outbound web access goes through
a proxy. In that case, either put the redirects directly in the proxy,
or have a separate "view" in whatever BIND nameserver(s) are used to
resolve Internet names for the proxy, that spoofs what needs to be
spoofed and forwards everything else to regular nameserver instances.
- Kevin
More information about the bind-users
mailing list