pthomp@gmail.com wrote:
> Greetings all,
>
> I'm trying to write a document about how we could intercept requests to
> potentially malicious websites using DNS forwarding. After doing some
> reading I stumbled across stub zones. What I don't fully understand is
> the implementation of this or which would be better.
>
> Example:
>
> Client infected with malware tries to get to something.ru So we tell
> our internal DNS servers to tell the client that instead of going out,
> my little server over here is actually something.ru effectively
> intercepting the request.
>
> I assumed creating a simple forward zone for *.ru would be the best was
> to accomplish this, but then I have to create a forward zone for every
> domain I want forwarded. With the stub zone I understand that I could
> just provide the DNS admin the root.stubs.conf file and this would
> effectively accomplish the same thing? Can you use wildcards in the
> root.stubs file? i.e. *.ru?
>
> Could someone please clarify this for me as I'm confused if they work
> the same way.
>
> Thanks in advance.
>


This is how a stub zone works

In /etc/named.conf

....
#
# stub zones

zone "ewe" {
type stub;
file "stub/ewe";
masters { 71.132.98.41; 64.62.206.88; 64.62.206.91; };
};
....

now bind will query the masters and build the following file

/var/named/stub/ewe

$ORIGIN .
$TTL 3600 ; 1 hour
ewe IN SOA lear.cavebear.com. karl.cavebear.com. (
2006021100 ; serial
172800 ; refresh (2 days)
7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
172800 ; minimum (2 days)
)
$TTL 172800 ; 2 days
NS lear.cavebear.com.
NS puck.iwl.com.
NS ariel.iwl.com.



Now replace the masters with your own and copy and edit the zone file.

Dont forget to edit /etc/named.conf from "type stub;" to "type master;"
on your master and add whatever you like to the zonefile.

Dont forget to put in your NS records and delete the original.

It might be a good idea to increment the serialnumber.

Normally I do use stub zones for other things.


Kind regards
Peter and Karin


--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@peter-dambier.de
mail: peter@echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/