Honeypots mailing list archives
Re: DNS honeypots?
From: Jason Ross <algorythm () gmail com>
Date: Tue, 2 Mar 2010 15:49:20 -0500
On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis () packetnexus com> wrote:
Anyone have any pointers to dns honeypots or maybe just BIND configurations that would allow logging of malicious queries without actually executing them?
Below is how I've got BIND set up in Debian Linux for a similar purpose. It sends all the queries to a log file, and returns an A record (and MX) of whatever value you'd like (I used RFC1918 space for this example). Not sure it's perfect, but it works pretty well for my purposes. Cheers, -- Jason root dir: /etc/bind ======== named.conf ======== include "/etc/bind/named.conf.options"; zone "." IN { type master; file "/etc/bind/db.wildcard"; }; ======== named.conf.options ======== options { directory "/var/cache/bind"; allow-transfer { none; }; listen-on-v6 { any; }; }; logging { channel query_log { severity info; print-time yes; file "query.log" versions 5 size 50M; }; category queries { query_log; }; }; ======== db.wildcard ======== $TTL 604800 @ IN SOA localhost. root.localhost. ( 2009102201 ; serial 604800 ; refresh 86400 ; retry 2419200 ; expire 604800) ; negative cache ttl @ IN NS localhost. * IN MX 10 mail. * IN A 192.168.3.101
Current thread:
- DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Tillmann Werner (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? chr1x (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Valdis . Kletnieks (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Ross (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Alexandre Dulaunoy (Mar 03)