Honeypots mailing list archives
Re: DNS honeypots?
From: Alexandre Dulaunoy <adulau () gmail com>
Date: Wed, 3 Mar 2010 16:24:01 +0100
On Tue, Mar 2, 2010 at 9:00 PM, Jason Lewis <jlewis () packetnexus com> wrote:
Anyone have any pointers to dns honeypots or maybe just BIND configurations that would allow logging of malicious queries without actually executing them?
We have used various techniques to make DNS honeypots. But there is an easy to do "fake" DNS server using Net::DNS::Nameserver : http://search.cpan.org/~olaf/Net-DNS/ You can even find a simple example in the POD : http://search.cpan.org/~olaf/Net-DNS/lib/Net/DNS/Nameserver.pm If you want to make a low-interaction nameserver, you can filter the request and answer to limit the malicious queries but still gain information by doing and logging the request but not sending back them to the client. Hope this helps, Kind regards, -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://www.foo.be/cgi-bin/wiki.pl/Diary -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov
Current thread:
- Re: DNS honeypots?, (continued)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? chr1x (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Valdis . Kletnieks (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Ross (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Alexandre Dulaunoy (Mar 03)