Re: DNS honeypots?

[Jason Lewis <jlewis () packetnexus com>]

Cool, this is the kind of thing I was thinking of doing.  I was hoping
I wouldn't have to reinvent the wheel.

Thanks.

On Tue, Mar 2, 2010 at 3:49 PM, Jason Ross <algorythm () gmail com> wrote:
> On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis () packetnexus com> wrote:
> > Anyone have any pointers to dns honeypots or maybe just BIND
> > configurations that would allow logging of malicious queries without
> > actually executing them?
>
>
> Below is how I've got BIND set up in Debian Linux for a similar purpose.
> It sends all the queries to a log file, and returns an A record (and MX)
> of whatever value you'd like (I used RFC1918 space for this example).
>
> Not sure it's perfect, but it works pretty well for my purposes.
>
> Cheers,
> --
> Jason
>
>
>
> root dir: /etc/bind
>
> ========
> named.conf
> ========
> include "/etc/bind/named.conf.options";
>
> zone "." IN {
>   type master;
>   file "/etc/bind/db.wildcard";
> };
>
>
> ========
> named.conf.options
> ========
> options {
>   directory "/var/cache/bind";
>   allow-transfer { none; };
>   listen-on-v6 { any; };
> };
>
> logging {
>   channel query_log {
>      severity info;
>      print-time yes;
>      file "query.log" versions 5 size 50M;
>   };
>   category queries {
>      query_log;
>   };
> };
>
>
> ========
> db.wildcard
> ========
> $TTL   604800
> @   IN   SOA   localhost.  root.localhost. (
>                        2009102201  ; serial
>                               604800  ; refresh
>                                 86400  ; retry
>                             2419200  ; expire
>                              604800) ; negative cache ttl
>
> @              IN         NS        localhost.
> *              IN          MX 10   mail.
> *              IN            A        192.168.3.101