Rear View RPZ: PTR records from local knowledge

Fred Morris m3047 at m3047.net
Thu Dec 2 19:42:54 UTC 2021 

I posted just such a thing a few weeks ago on the dnsrpz list at
redbarn. Hrm, seems to be down at the moment.

On 12/2/21 11:00 AM, Grant Taylor via bind-users wrote:
> On 12/2/21 9:59 AM, Fred Morris wrote:
>> Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
>> generally available: turn your local BIND resolver into a network
>> investigation enabler with locally generated PTR records.
>
> Would you please elaborate on what Rear View RPZ does?
>
> It seems as if it synthetically fabricates PTR records (which are
> served via RPZ) with some additional information for subsequent use by
> investigators.
>
> If that is correct, please provide an example of the original PTR and
> the synthetic augmented PTR.

\/    \/    \/    \/    \/ (ob ascii art!)

-------- Forwarded Message --------

Subject: 	[DNSfirewalls] I've got smoke! Re: Using DnsTap to populate a
reverse DNS RPZ
Date: 	Mon, 15 Nov 2021 09:49:26 -0800
From: 	Fred Morris <m3047 at m3047.net>
To: 	dnsfirewalls at lists.redbarn.org



Hi. It's been a while.

Anyway, I did this. It'll be going up on GitHub. I'll post another
announcement here, and probably on dnstap and bind-users, when it's got
training wheels.

The way this works is a "sputnik" which consumes BIND's Dnstap telemetry
and uses it to populate the RPZ using dynamic updates.

--

FWM

On 3/19/21 12:57 PM, Fred Morris wrote:
> This is a tactical defender-centric tool, intended to augment everyday
> tools' usability, e.g. "iptables -L -v". It's an RPZ, but it's not a
> ban hammer.
>
> On Fri, 19 Mar 2021, Andrew Fried wrote:
>> [...]
>> You will often see generic 4-3-2-1.some.domain ptr records despite an
>> actual host/domain points at the ip, particularly in cloud environments.
>
> Exactly the point!
>
--

m3047 at sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 www.cnn.com

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 www.cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54804
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 04b5f7fa4c6aded4a8b6a4b3619299ce772407a3c447a114 (good)
;; QUESTION SECTION:
;www.cnn.com.                   IN      A

;; ANSWER SECTION:
www.cnn.COM.            297     IN      CNAME   turner-tls.map.fastly.net.
turner-tls.map.fastly.net. 27   IN      A       151.101.53.67

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:33:02 PST 2021
;; MSG SIZE  rcvd: 134

m3047 at sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1
rearview.m3047.net axfr

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 rearview.m3047.net axfr
; (1 server found)
;; global options: +cmd
REARVIEW.M3047.NET.     600     IN      SOA     DEV.NULL.
M3047.M3047.NET. 2 600 60 86400 600
REARVIEW.M3047.NET.     600     IN      NS      LOCALHOST.
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0.6666666666666666"
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR www.cnn.com.
REARVIEW.M3047.NET.     600     IN      SOA     DEV.NULL.
M3047.M3047.NET. 2 600 60 86400 600
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:33:10 PST 2021
;; XFR size: 5 records (messages 1, bytes 382)

m3047 at sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 infoblox.com

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 infoblox.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36850
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 666ea36e97a11479a198007e61929a416afc140bc683c5cc (good)
;; QUESTION SECTION:
;infoblox.com.                  IN      A

;; ANSWER SECTION:
infoblox.com.           3600    IN      A       23.185.0.3

;; Query time: 109 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:34:57 PST 2021
;; MSG SIZE  rcvd: 85

m3047 at sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1
rearview.m3047.net axfr

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 rearview.m3047.net axfr
; (1 server found)
;; global options: +cmd
REARVIEW.M3047.NET.     600     IN      SOA     DEV.NULL.
M3047.M3047.NET. 3 600 60 86400 600
REARVIEW.M3047.NET.     600     IN      NS      LOCALHOST.
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=2,first=1636997584.330454,last=1636997584.330457,count=1,trend=0.0,score=0.6666666666666666"
67.53.101.151.in-addr.arpa.rearview.m3047.net. 600 IN PTR www.cnn.com.
3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=1,first=1636997699.3390522,last=1636997699.3390543,count=1,trend=0.0,score=0.5"
3.0.185.23.in-addr.arpa.rearview.m3047.net. 600 IN PTR infoblox.com.
REARVIEW.M3047.NET.     600     IN      SOA     DEV.NULL.
M3047.M3047.NET. 3 600 60 86400 600
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:35:02 PST 2021
;; XFR size: 7 records (messages 1, bytes 547)

m3047 at sophia:~/GitHub/rear_view_rpz/python> dig -x 23.185.0.3

; <<>> DiG 9.12.3-P1 <<>> -x 23.185.0.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31234
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c99baad9134300b5c7c0938361929b634fc1d9fd56d9f674 (good)
;; QUESTION SECTION:
;3.0.185.23.in-addr.arpa.       IN      PTR

;; AUTHORITY SECTION:
23.in-addr.arpa.        10800   IN      SOA     z.arin.net.
dns-ops.arin.net. 2017032657 1800 900 691200 10800

;; Query time: 1174 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Mon Nov 15 09:39:47 PST 2021
;; MSG SIZE  rcvd: 149

m3047 at sophia:~/GitHub/rear_view_rpz/python> dig @127.0.0.1 -x 23.185.0.3

; <<>> DiG 9.12.3-P1 <<>> @127.0.0.1 -x 23.185.0.3
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46633
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fa006de254213cbe5d5ecfe061929b727fc60cca0a56dc9a (good)
;; QUESTION SECTION:
;3.0.185.23.in-addr.arpa.       IN      PTR

;; ANSWER SECTION:
3.0.185.23.in-addr.arpa. 5      IN      PTR     infoblox.com.

;; ADDITIONAL SECTION:
REARVIEW.M3047.NET.     1       IN      SOA     DEV.NULL.
M3047.M3047.NET. 3 600 60 86400 600

;; Query time: 437 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 15 09:40:02 PST 2021
;; MSG SIZE  rcvd: 174

_______________________________________________
DNSfirewalls mailing list
DNSfirewalls at lists.redbarn.org
http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211202/d734d119/attachment-0001.htm>

More information about the bind-users mailing list