Honeypots
DNS honeypots? Mar 02 2010 08:00PM
Jason Lewis (jlewis packetnexus com) (5 replies)
Re: DNS honeypots? Mar 03 2010 03:24PM
Alexandre Dulaunoy (adulau gmail com)
Re: DNS honeypots? Mar 03 2010 02:20PM
Brent Huston (lbhlists gmail com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:38PM
Jason Lewis (jlewis packetnexus com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:55PM
Brent Huston (lbhlists gmail com) (1 replies)
Re: DNS honeypots? Mar 03 2010 03:29PM
Jason Ross (algorythm gmail com)
Re: DNS honeypots? Mar 02 2010 09:48PM
Valdis Kletnieks vt edu (2 replies)
Re: DNS honeypots? Mar 02 2010 10:57PM
Jason Lewis (jlewis packetnexus com)
Re: DNS honeypots? Mar 02 2010 10:57PM
Jason Ross (algorythm gmail com)
Re: DNS honeypots? Mar 02 2010 08:49PM
Jason Ross (algorythm gmail com) (1 replies)
On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis (at) packetnexus (dot) com [email concealed]> wrote:
> Anyone have any pointers to dns honeypots or maybe just BIND
> configurations that would allow logging of malicious queries without
> actually executing them?
>

Below is how I've got BIND set up in Debian Linux for a similar purpose.
It sends all the queries to a log file, and returns an A record (and MX)
of whatever value you'd like (I used RFC1918 space for this example).

Not sure it's perfect, but it works pretty well for my purposes.

Cheers,
--
Jason

root dir: /etc/bind

========
named.conf
========
include "/etc/bind/named.conf.options";

zone "." IN {
type master;
file "/etc/bind/db.wildcard";
};

========
named.conf.options
========
options {
directory "/var/cache/bind";
allow-transfer { none; };
listen-on-v6 { any; };
};

logging {
channel query_log {
severity info;
print-time yes;
file "query.log" versions 5 size 50M;
};
category queries {
query_log;
};
};

========
db.wildcard
========
$TTL 604800
@ IN SOA localhost. root.localhost. (
2009102201 ; serial
604800 ; refresh
86400 ; retry
2419200 ; expire
604800) ; negative cache ttl

@ IN NS localhost.
* IN MX 10 mail.
* IN A 192.168.3.101

[ reply ]
Re: DNS honeypots? Mar 02 2010 11:11PM
Jason Lewis (jlewis packetnexus com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:49AM
chr1x (chr1x sectester net)
Re: DNS honeypots? Mar 02 2010 08:18PM
Tillmann Werner (tillmann werner gmx de)


 

Privacy Statement
Copyright 2010, SecurityFocus