Honeypots mailing list archives
Re: DNS honeypots?
From: Tillmann Werner <tillmann.werner () gmx de>
Date: Tue, 02 Mar 2010 21:18:45 +0100
Jason,
Anyone have any pointers to dns honeypots or maybe just BIND configurations that would allow logging of malicious queries without actually executing them?
No need to run a server, you can simply sniff DNS traffic destined to that box. If you don't want to send back an ICMP port unreachable message, just block them using a packet filter. I have some DNS sniffer code for exactly that purpose I can send to you off-list if you are interested. tcpdump does the job, too, but mine integrates DNS processing and logging (for IN/A record queries via UDP). Tillmann
Current thread:
- DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Tillmann Werner (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? chr1x (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Valdis . Kletnieks (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Ross (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)