|
|
Honeypots
DNS honeypots? Mar 02 2010 08:00PM Jason Lewis (jlewis packetnexus com) (5 replies) Re: DNS honeypots? Mar 03 2010 02:20PM Brent Huston (lbhlists gmail com) (1 replies) Re: DNS honeypots? Mar 03 2010 02:38PM Jason Lewis (jlewis packetnexus com) (1 replies) |
|
Privacy Statement |
I wouldn't have to reinvent the wheel.
Thanks.
On Tue, Mar 2, 2010 at 3:49 PM, Jason Ross <algorythm (at) gmail (dot) com [email concealed]> wrote:
> On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis (at) packetnexus (dot) com [email concealed]> wrote:
>> Anyone have any pointers to dns honeypots or maybe just BIND
>> configurations that would allow logging of malicious queries without
>> actually executing them?
>>
>
>
> Below is how I've got BIND set up in Debian Linux for a similar purpose.
> It sends all the queries to a log file, and returns an A record (and MX)
> of whatever value you'd like (I used RFC1918 space for this example).
>
> Not sure it's perfect, but it works pretty well for my purposes.
>
> Cheers,
> --
> Jason
>
>
>
> root dir: /etc/bind
>
> ========
> named.conf
> ========
> include "/etc/bind/named.conf.options";
>
> zone "." IN {
> type master;
> file "/etc/bind/db.wildcard";
> };
>
>
> ========
> named.conf.options
> ========
> options {
> directory "/var/cache/bind";
> allow-transfer { none; };
> listen-on-v6 { any; };
> };
>
> logging {
> channel query_log {
> severity info;
> print-time yes;
> file "query.log" versions 5 size 50M;
> };
> category queries {
> query_log;
> };
> };
>
>
> ========
> db.wildcard
> ========
> $TTL 604800
> @ IN SOA localhost. root.localhost. (
> 2009102201 ; serial
> 604800 ; refresh
> 86400 ; retry
> 2419200 ; expire
> 604800) ; negative cache ttl
>
> @ IN NS localhost.
> * IN MX 10 mail.
> * IN A 192.168.3.101
>
[ reply ]