RPZ for reverse lookups ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

RPZ for reverse lookups ?

J Doe
Hello,

I have a basic question regarding RPZ on Bind 9.11.x.

Is it possible to re-write a response on a reverse lookup ?  For instance, if I considered example.com a “bad domain”, can I write a RPZ policy so that a reverse lookup of IP’s that map to example.com fails or is blocked ?

I know I can do this with a forward lookup to generate NXDOMAIN:

; Forward resolution of: example.com and subdomains generates: NXDOMAIN

example.com        IN CNAME .
*.example.com      IN CNAME .

…but can this also be done on reverse lookups ?

Thanks,

- J

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: RPZ for reverse lookups ?

Noel Butler

On 25/08/2019 06:56, J Doe wrote:

Hello,
 
I have a basic question regarding RPZ on Bind 9.11.x.
 
Is it possible to re-write a response on a reverse lookup ?  For instance, if I considered example.com a "bad domain", can I write a RPZ policy so that a reverse lookup of IP's that map to example.com fails or is blocked ?
 
I know I can do this with a forward lookup to generate NXDOMAIN:
 
; Forward resolution of: example.com and subdomains generates: NXDOMAIN
 
example.com        IN CNAME .
*.example.com      IN CNAME .
 
...but can this also be done on reverse lookups ?
 
Thanks,
 
 
 
This can have disastrous affects if this is for a public network given shared hosting.
 
An Australian govt dept (ASIC) ordered a s313 block on an IP couple years back, turns out that IP supplied about 2K hosts, 99.9% all of which were very legitimate, including many aussie businesses.
 
And I still dont know whats worse, the clueless idiots in ASIC (who thankfully have now due to that incident lost most that power), or the clueless idiots in the ISP's networking who blindly accepted and enacted the block.
 
To put it in RFC terms for non aussies, s313 is a SHOULD, and  _not_ a MUST.
If theres genuine reason, ie mass collateral damage, you can lawfully refuse to carry out such requests.
 
--

Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF and ODF documents accepted, please do not send proprietary formatted documents

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: RPZ for reverse lookups ?

Fred Morris
In reply to this post by J Doe
Yes. See below.

Another respondent expresses concerns about the danger of IP address
blocking. The RPZ implementation (in BIND) includes options for setting
triggers on the address returned with A and AAAA RRs (rpz-ip) and
nameserver address (nsip). These kinds of actions are functionally
distinct from triggers based on the query name.

On Sat, 24 Aug 2019, J Doe wrote:

> [...] Is it possible to re-write a response on a reverse lookup ?  For
> instance, if I considered example.com a “bad domain”, can I write a RPZ
> policy so that a reverse lookup of IP’s that map to example.com fails or
> is blocked ?
>
> I know I can do this with a forward lookup to generate NXDOMAIN:
>
> ; Forward resolution of: example.com and subdomains generates: NXDOMAIN
>
> example.com        IN CNAME .
> *.example.com      IN CNAME .
I have to wonder what led us here and why it's so important to generate
NXDOMAIN. There are plenty of ways to disrupt as well as out and out block
access to an IP address which don't require resorting to DNS tricks, such
as using a firewall, but let's see what we can do.

I suspect if you wanted to block an IP address, that rpz-ip is what you're
looking for.

What you've got above prevents example.com from resolving to any address.
So where did the address come from? Are you sure the evidence chain
involves example.com and not something else (correctly or incorrectly)
resolving to that address, or someone outright lying? Why would you assume
that? (And as the other prior respondent points out, it has risks. Are the
impacts of your proposed actions local in scope? Do you run a local
passive DNS oracle?)

Let's say that example.com resolves to 10.9.8.7. In that case "dig -x
10.9.8.7" will generate a query for 7.8.9.19.in-addr.arpa PTR records. A
record like

     7.8.9.10.in-addr.arpa CNAME .

will generate NXDOMAIN in response to that query. You could be more
explicit:

     7.8.9.10.in-addr.arpa PTR block.this.

If you were doing spam scoring based on the feature "does the FQDN the MTA
declares as its identity match a reverse lookup on its address", either
one of these would potentially fail. NXDOMAIN is generally an implied fail
however, and could be due to infrastructure failures distinct and separate
from imputed conduct; whereas the feature "anything that a reverse lookup
resolves to block.this should be blocked" is explicit (and unambiguous
until the .this TLD launches).

--

Fred Morris

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: RPZ for reverse lookups ?

Fred Morris
Clarification on what DNS is...

On Sun, 25 Aug 2019, m3047 wrote:
> On Sat, 24 Aug 2019, J Doe wrote:
>>  [...] Is it possible to re-write a response on a reverse lookup ?  For
>>  instance, if I considered example.com a “bad domain”, can I write a RPZ
>>  policy so that a reverse lookup of IP’s that map to example.com fails or
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>  is blocked ?
>>  [...]
> proposed actions local in scope? Do you run a local passive DNS oracle?)

Strictly speaking, in DNS-speak the "reverse lookup of an IP..." is a PTR
lookup. The "reverse lookup of an IP mapping to example.com" is doing a
PTR lookup and matching it against example.com. I could be wrong
generally, but at least none of the RPZ features which I use generate
additional DNS traffic; an RPZ implementation which did would exceed my
personal threshold of least surprise.

You might consider taking discussion of this to the RPZ interest list or
searching the archives: http://lists.redbarn.org/mailman/listinfo/dnsfirewalls

--

Fred Morris
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: RPZ for reverse lookups ?

J Doe
Hi Noel and Fred,

Thank you for your replies.  I probably should have provided a bit of context about my situation.

I manage a small e-mail server for a client.  While setting up support for the SpamHaus DNSBL, I read that SpamHaus prefers that people use a non-public (ie: not 8.8.8.8 / large cloud host DNS server) recursive resolver.  I configured Bind 9.11.x to be a recursive resolver and got SpamHaus working with my MTA.  I then learned about RPZ.

I configured RPZ to block forward lookup of known bad domains - for instance, malware C2 servers and so forth, with the idea being that if the e-mail server was infected with malware it would fail forward resolution.  I then wondered if I could configure RPZ to “work in reverse” - that is, to specify a DNS name that results after reverse lookup should result in functionality similar to NXDOMAIN.

The idea behind this was that if a had a domain name or a TLD that I didn’t want to receive connections from, when the server performed the reverse lookup if it resulted in a domain with that TLD it would break, which would then cause my MTA to refuse delivery.  Currently, my MTA will happily allow a connection if the reverse resolution to any name works.

The reason I wanted this on the DNS name was that I then do not have to know all the IP addresses associated with that domain.  So, if I receive a connection from: 1.2.3.4 when the MTA does a reverse lookup and it matches “example.org” the DNS server doesn’t complete the name lookup.  In this case I am then specifying that anything that resolves to “example.org” should fail.  With the example you provided with a PTR record, I would still have to know the IP addresses owned by a particular domain, which may change over time.

I’ve been able to approach this in a different way.  Instead of having everything break at the DNS level, I’ve configured a right-hand side block list (RHSBL), with the MTA.  Now, when a reverse resolution is done if that domain name or TLD is found in the RHSBL, the connection is blocked.  I have that applied to connections to the server as well as the envelope from address, so if someone connects from: banned.example.com OR states the e-mail is from: [hidden email], the e-mail is rejected.

I think the major difficulty I was running into was trying to have DNS RPZ do everything.

Thank you for the pointer to the RPZ mailing list - I will be joining that shortly

Regards,

- J



On Aug 25, 2019, at 12:54 PM, m3047 <[hidden email]> wrote:

Clarification on what DNS is...

On Sun, 25 Aug 2019, m3047 wrote:
On Sat, 24 Aug 2019, J Doe wrote:
[...] Is it possible to re-write a response on a reverse lookup ?  For
instance, if I considered example.com a “bad domain”, can I write a RPZ
policy so that a reverse lookup of IP’s that map to example.com fails or
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
is blocked ?
[...]
proposed actions local in scope? Do you run a local passive DNS oracle?)

Strictly speaking, in DNS-speak the "reverse lookup of an IP..." is a PTR lookup. The "reverse lookup of an IP mapping to example.com" is doing a PTR lookup and matching it against example.com. I could be wrong generally, but at least none of the RPZ features which I use generate additional DNS traffic; an RPZ implementation which did would exceed my personal threshold of least surprise.

You might consider taking discussion of this to the RPZ interest list or searching the archives: http://lists.redbarn.org/mailman/listinfo/dnsfirewalls

--

Fred Morris


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users