Honeypots
DNS honeypots? Mar 02 2010 08:00PM
Jason Lewis (jlewis packetnexus com) (5 replies)
Re: DNS honeypots? Mar 03 2010 03:24PM
Alexandre Dulaunoy (adulau gmail com)
Re: DNS honeypots? Mar 03 2010 02:20PM
Brent Huston (lbhlists gmail com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:38PM
Jason Lewis (jlewis packetnexus com) (1 replies)
Re: DNS honeypots? Mar 03 2010 02:55PM
Brent Huston (lbhlists gmail com) (1 replies)
Re: DNS honeypots? Mar 03 2010 03:29PM
Jason Ross (algorythm gmail com)
Re: DNS honeypots? Mar 02 2010 09:48PM
Valdis Kletnieks vt edu (2 replies)
Re: DNS honeypots? Mar 02 2010 10:57PM
Jason Lewis (jlewis packetnexus com)
Re: DNS honeypots? Mar 02 2010 10:57PM
Jason Ross (algorythm gmail com)
Re: DNS honeypots? Mar 02 2010 08:49PM
Jason Ross (algorythm gmail com) (1 replies)
Re: DNS honeypots? Mar 02 2010 11:11PM
Jason Lewis (jlewis packetnexus com) (1 replies)
Cool, this is the kind of thing I was thinking of doing. I was hoping
I wouldn't have to reinvent the wheel.

Thanks.

On Tue, Mar 2, 2010 at 3:49 PM, Jason Ross <algorythm (at) gmail (dot) com [email concealed]> wrote:
> On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis (at) packetnexus (dot) com [email concealed]> wrote:
>> Anyone have any pointers to dns honeypots or maybe just BIND
>> configurations that would allow logging of malicious queries without
>> actually executing them?
>>
>
>
> Below is how I've got BIND set up in Debian Linux for a similar purpose.
> It sends all the queries to a log file, and returns an A record (and MX)
> of whatever value you'd like (I used RFC1918 space for this example).
>
> Not sure it's perfect, but it works pretty well for my purposes.
>
> Cheers,
> --
> Jason
>
>
>
> root dir: /etc/bind
>
> ========
> named.conf
> ========
> include "/etc/bind/named.conf.options";
>
> zone "." IN {
>   type master;
>   file "/etc/bind/db.wildcard";
> };
>
>
> ========
> named.conf.options
> ========
> options {
>   directory "/var/cache/bind";
>   allow-transfer { none; };
>   listen-on-v6 { any; };
> };
>
> logging {
>   channel query_log {
>      severity info;
>      print-time yes;
>      file "query.log" versions 5 size 50M;
>   };
>   category queries {
>      query_log;
>   };
> };
>
>
> ========
> db.wildcard
> ========
> $TTL   604800
> @   IN   SOA   localhost.  root.localhost. (
>                        2009102201  ; serial
>                               604800  ; refresh
>                                 86400  ; retry
>                             2419200  ; expire
>                              604800) ; negative cache ttl
>
> @              IN         NS        localhost.
> *              IN          MX 10   mail.
> *              IN            A        192.168.3.101
>

[ reply ]
Re: DNS honeypots? Mar 03 2010 02:49AM
chr1x (chr1x sectester net)
Re: DNS honeypots? Mar 02 2010 08:18PM
Tillmann Werner (tillmann werner gmx de)


 

Privacy Statement
Copyright 2010, SecurityFocus