Re: DNS honeypots?

[chr1x <chr1x () sectester net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This post looks pretty interesting!

Let's analyze your requirement:

1. Logging malicious queries
2. Reject/Deny any possible dns attack attempt


Well, from my point of view, going from the Honeypot concept which is
track hackers, probably the best way that you can follow is to setup an
IPS instead a Sensor. Personally, I don't see the purpose to have
"Reactive" honeypot if the objective of a honeypot is to be the most
open possible possible, talking about vulnerabilities on network/local
services ready to receive tons of attacks.

Anyway, the only way more closer to the thing that you are looking for
is to setup Snort in your DNS server, configure just the rules for DNS
attacks, and see if exist a way to drop the dns packets that comes from
the attacker side, but probably looking here could help:

http://snort-inline.sourceforge.net/


The difference between normal snort installation and snort-inline is
that this 2nd take actions to the packets that snort detects, in this
case, probably after you configure the DNS service, the DNS
rule-detection and the snort-inline config, you can have a very nice
"reactive" honeypot :D

Hope this helps Jason.

Best regards,

Christian


On 02/03/2010 05:11 p.m., Jason Lewis wrote:
> Cool, this is the kind of thing I was thinking of doing.  I was hoping
> I wouldn't have to reinvent the wheel.
>
> Thanks.
>
> On Tue, Mar 2, 2010 at 3:49 PM, Jason Ross <algorythm () gmail com> wrote:
> > On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis () packetnexus com> wrote:
> > > Anyone have any pointers to dns honeypots or maybe just BIND
> > > configurations that would allow logging of malicious queries without
> > > actually executing them?
> >
> >
> > Below is how I've got BIND set up in Debian Linux for a similar purpose.
> > It sends all the queries to a log file, and returns an A record (and MX)
> > of whatever value you'd like (I used RFC1918 space for this example).
> >
> > Not sure it's perfect, but it works pretty well for my purposes.
> >
> > Cheers,
> > --
> > Jason
> >
> >
> >
> > root dir: /etc/bind
> >
> > ========
> > named.conf
> > ========
> > include "/etc/bind/named.conf.options";
> >
> > zone "." IN {
> >   type master;
> >   file "/etc/bind/db.wildcard";
> > };
> >
> >
> > ========
> > named.conf.options
> > ========
> > options {
> >   directory "/var/cache/bind";
> >   allow-transfer { none; };
> >   listen-on-v6 { any; };
> > };
> >
> > logging {
> >   channel query_log {
> >      severity info;
> >      print-time yes;
> >      file "query.log" versions 5 size 50M;
> >   };
> >   category queries {
> >      query_log;
> >   };
> > };
> >
> >
> > ========
> > db.wildcard
> > ========
> > $TTL   604800
> > @   IN   SOA   localhost.  root.localhost. (
> >                        2009102201  ; serial
> >                               604800  ; refresh
> >                                 86400  ; retry
> >                             2419200  ; expire
> >                              604800) ; negative cache ttl
> >
> > @              IN         NS        localhost.
> > *              IN          MX 10   mail.
> > *              IN            A        192.168.3.101
> >
> >
> >
> >
> > No virus found in this incoming message.
> > Checked by AVG - www.avg.com 
> > Version: 9.0.733 / Virus Database: 271.1.1/2719 - Release Date: 03/02/10 13:34:00
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLjc4qAAoJEC7eoa2EW6vfzMYH/iwhpgpqO8wDJmJnVsK4cTOc
0UGXmzLN6r3egHSVnDocIWTmHE8xw1cyCa1tsbHOwLNDSB/ybT9f5xyoEkya24G4
TmtgzJLC5cODBuVqrGpVCxvNnqaHUgCmZrlHwmGQfXUFOALM91hBGm0aHG6StC4o
IUG7Dsg7J+4yrrw3v4R8bu63qyngrY9XhxHd+9Q2bos2KfcSXgOrbdWL5VTKLIrE
hlatnh/GPrCdxP05YXLHGLPHXsTOwr8AEpFjOgZRJQS9oFrZMHkvQ9O8SJBrgAae
RsR4wzGYErhLGjgI92RuDP4f7aMv18s2MT505ZB3JqeWiqVJeuIVuFklCOHcxo8=
=z+il
-----END PGP SIGNATURE-----