Filtering traffic by DNS name and IP address
What About DNSSEC?
Hang on, isn't DNSSEC supposed to prevent people from fiddling with and spoofing DNS replies? By default, RPZ will not intercept queries with the DNSSEC flag set, which right now isn't a huge problem, because very few domains use DNSSEC. However, as bad guys start to use DNSSEC, you'll probably want to block them as well. To override this, set the break-dnssec
option to yes
in the RPZ definition in named.conf
[3].
For clients enforcing DNSSEC in replies, you won't be able to create arbitrary replies and redirect them to a walled garden server, but you can achieve the same effect of NXDOMAIN or NODATA because the client will treat the data as bad and not connect. However, the user may see some errors.
Conclusion
Filtering traffic based on DNS name, servers, and IP addresses can be extremely efficient in blocking bad stuff, especially as it covers all protocols (e.g., HTTP, HTTPS, mail, etc.). It also solves the problem of devices onto which you can't easily load adblock or other filtering software. On the flip side, if those devices are used on another network, they may be exposed to malware and such.
Next month, I'll talk about logging DNS queries and replies in order to collect data so that you know what to block and can see whether anything malicious has gotten inside your network.
Infos
- Building DNS firewalls with Response Policy Zones (RPZ): https://kb.isc.org/article/AA-00525/0
- DNS Response Policy Zones: https://kb.isc.org/article/AA-00512/0
- BIND 9 configuration reference: ftp://ftp.isc.org/isc/bind9/9.9.4/doc/arm/Bv9ARM.ch06.html
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)