Honeypots mailing list archives
Re: DNS honeypots?
From: Jason Ross <algorythm () gmail com>
Date: Tue, 2 Mar 2010 15:49:20 -0500
On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis () packetnexus com> wrote:
Anyone have any pointers to dns honeypots or maybe just BIND configurations that would allow logging of malicious queries without actually executing them?
Below is how I've got BIND set up in Debian Linux for a similar purpose.
It sends all the queries to a log file, and returns an A record (and MX)
of whatever value you'd like (I used RFC1918 space for this example).
Not sure it's perfect, but it works pretty well for my purposes.
Cheers,
--
Jason
root dir: /etc/bind
========
named.conf
========
include "/etc/bind/named.conf.options";
zone "." IN {
type master;
file "/etc/bind/db.wildcard";
};
========
named.conf.options
========
options {
directory "/var/cache/bind";
allow-transfer { none; };
listen-on-v6 { any; };
};
logging {
channel query_log {
severity info;
print-time yes;
file "query.log" versions 5 size 50M;
};
category queries {
query_log;
};
};
========
db.wildcard
========
$TTL 604800
@ IN SOA localhost. root.localhost. (
2009102201 ; serial
604800 ; refresh
86400 ; retry
2419200 ; expire
604800) ; negative cache ttl
@ IN NS localhost.
* IN MX 10 mail.
* IN A 192.168.3.101
Current thread:
- DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Tillmann Werner (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? chr1x (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Valdis . Kletnieks (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Ross (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Alexandre Dulaunoy (Mar 03)