Logging ECS information for RPZ rewrites

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Logging ECS information for RPZ rewrites

Brian Keifer
I'm working on creating a highly-available group of BIND servers to serve as caching nameservers with RPZs built from various threat intel feeds to help prevent unwanted activity on our network.

The architecture I've been working with so far is a pair of front-end proxy servers running keepalived to share a virtual IP and PowerDNS's dnsdist as the actual proxy.  The proxies set ECS to the client's IP address and pass the request to one of four back-end caching BIND 9.12 servers.

That all works beautifully, but when a client has one of their requests rewritten based on a threat feed, we want to know about it so that we can investigate/remediate that client.

When the rewrites are logged via the 'rpz' category, they're logged with the IP address of the proxy, not the client.  I can get the ECS information in the query log, but there's nothing in the query log (or is there?) that indicates that a query was rewritten.

Is there any way to get the ECS information in the RPZ log?  Failing that, suggestions on how to accomplish this would be greatly appreciated.

Thanks!

-Brian

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Logging ECS information for RPZ rewrites

Tony Finch
Brian Keifer <[hidden email]> wrote:
>
> The architecture I've been working with so far is a pair of front-end proxy
> servers running keepalived to share a virtual IP and PowerDNS's dnsdist as
> the actual proxy.  The proxies set ECS to the client's IP address and pass
> the request to one of four back-end caching BIND 9.12 servers.

I've sort of been waiting to see if Ray will reply to this question, since
the general opinion seems to be that using ECS in this situation isn't a
great idea, so it should be replaced by a different option:
https://tools.ietf.org/html/draft-bellis-dnsop-xpf

But that doesn't help with your immediate problem.

> That all works beautifully, but when a client has one of their requests
> rewritten based on a threat feed, we want to know about it so that we can
> investigate/remediate that client.

There are a couple of non-BIND ways that you might accomplish this:

(1) Do the logging on the RPZ redirection target server.

(2) Get dnsdist to log responses that have been rewritten by RPZ.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
public services available on equal terms to all
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users