If you know that the well known computer virus Conficker uses a domain generation algorithm (DGA) to choose up to fifty thousand (50,000) command and control domains per day, you might hesitate to try to create an RPZ that contains so many domain names and which changes so much on a daily basis. In that case you might want to trigger your RPZ rule based on the well-known name server names for these command and control domains, rather than trying to trigger on each of 50,000 different (daily) query names. Since the well known name server names for Conficker's domain names are never used by nonmalicious domains, it is safe to poison all lookups that rely on these name servers. Here is an example that achieves this result:
ns.0xc0f1c3a5.com.rpz-nsdname CNAME *.walled-garden.example.com.
ns.0xc0f1c3a5.net.rpz-nsdname CNAME *.walled-garden.example.com.
ns.0xc0f1c3a5.org.rpz-nsdname CNAME *.walled-garden.example.com.
at the beginning of these CNAME target names is special, and it causes the original query name to be prepended to the CNAME target. So if one of your users tries to visit the Conficker command and control domain http://racaldftn.com.ai/
(which is a valid Conficker command and control domain name for 19-October-2011), your RPZ-connected recursive name server will send back this answer:
racaldftn.com.ai. CNAME racaldftn.com.ai.walled-garden.example.com.
racaldftn.com.ai.walled-garden.example.com. A 192.168.50.3
This example presumes that you've also created the following DNS content, which is not part of the RPZ zone itself but is in one of your other domains.
* A 192.168.50.3
Assuming that you're running a web server listening on 192.168.50.3 that always displays a warning message no matter what URI is used, the above RPZ configuration will instruct the web browser of any infected end user to connect to a "server name" consisting of their original lookup name (racaldftn.com.ai) prepended to the walled garden domain name (walled-garden.example.com). This is the name which will appear in the web server's log file, and having the full name in that log file will facilitate your analysis as to which users are infected with what virus.
See also: Building DNS Firewalls with Response Policy Zones (RPZ)
© 2001-2015 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting us know below how we can improve this article. If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback. For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.