Knowledge Base ISC Main Website Ask a Question/Contact ISC
When maintaining a DNS RPZ, how do I put infected users into a walled garden?
Author: Paul Vixie Reference Number: AA-00520 Views: 2308 Created: 2011-11-01 06:18 Last Updated: 2011-11-01 19:44 0 Rating/ Voters

If you know that the well known computer virus Conficker uses a domain generation algorithm (DGA) to choose up to fifty thousand (50,000) command and control domains per day, you might hesitate to try to create an RPZ that contains so many domain names and which changes so much on a daily basis. In that case you might want to trigger your RPZ rule based on the well-known name server names for these command and control domains, rather than trying to trigger on each of 50,000 different (daily) query names. Since the well known name server names for Conficker's domain names are never used by nonmalicious domains, it is safe to poison all lookups that rely on these name servers. Here is an example that achieves this result:

$ORIGIN rpz.example.com.
ns.0xc0f1c3a5.com.rpz-nsdname  CNAME  *.walled-garden.example.com.
ns.0xc0f1c3a5.net.rpz-nsdname  CNAME  *.walled-garden.example.com.
ns.0xc0f1c3a5.org.rpz-nsdname  CNAME  *.walled-garden.example.com.


The * at the beginning of these CNAME target names is special, and it causes the original query name to be prepended to the CNAME target. So if one of your users tries to visit the Conficker command and control domain http://racaldftn.com.ai/ (which is a valid Conficker command and control domain name for 19-October-2011), your RPZ-connected recursive name server will send back this answer:

racaldftn.com.ai.     CNAME     racaldftn.com.ai.walled-garden.example.com.
racaldftn.com.ai.walled-garden.example.com.     A      192.168.50.3

This example presumes that you've also created the following DNS content, which is not part of the RPZ zone itself but is in one of your other domains.

$ORIGIN walled-garden.example.com.
*     A     192.168.50.3

Assuming that you're running a web server listening on 192.168.50.3 that always displays a warning message no matter what URI is used, the above RPZ configuration will instruct the web browser of any infected end user to connect to a "server name" consisting of their original lookup name (racaldftn.com.ai) prepended to the walled garden domain name (walled-garden.example.com). This is the name which will appear in the web server's log file, and having the full name in that log file will facilitate your analysis as to which users are infected with what virus.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu