Submit Search
Upload
Getting Started with a DNS Firewall
•
4 likes
•
946 views
APNIC
Follow
Presentation by Eddy Winstead at APRICOT 2018 on Monday, 26 February 2018.
Read less
Read more
Internet
Report
Share
Report
Share
1 of 33
Recommended
Camunda BPM at Zalando: Order Processing at scale
Camunda BPM at Zalando: Order Processing at scale
camunda services GmbH
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and Beyond
Kazuho Oku
CephFS Update
CephFS Update
Ceph Community
Linux crontab
Linux crontab
Teja Bheemanapally
Impacts of Sharding, Partitioning, Encoding, and Sorting on Distributed Query...
Impacts of Sharding, Partitioning, Encoding, and Sorting on Distributed Query...
InfluxData
Introduction to sap jaipur-30 july 2015
Introduction to sap jaipur-30 july 2015
Baalu Kathirvelu
Drupalテーマとthemingの基礎
Drupalテーマとthemingの基礎
Kenji Shirane
Rspamd testing
Rspamd testing
Vsevolod Stakhov
Recommended
Camunda BPM at Zalando: Order Processing at scale
Camunda BPM at Zalando: Order Processing at scale
camunda services GmbH
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and Beyond
Kazuho Oku
CephFS Update
CephFS Update
Ceph Community
Linux crontab
Linux crontab
Teja Bheemanapally
Impacts of Sharding, Partitioning, Encoding, and Sorting on Distributed Query...
Impacts of Sharding, Partitioning, Encoding, and Sorting on Distributed Query...
InfluxData
Introduction to sap jaipur-30 july 2015
Introduction to sap jaipur-30 july 2015
Baalu Kathirvelu
Drupalテーマとthemingの基礎
Drupalテーマとthemingの基礎
Kenji Shirane
Rspamd testing
Rspamd testing
Vsevolod Stakhov
All your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Ahmed El-Arabawy
SAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codes
Jitendra Ahir
Is Linux ready for safety related applications?
Is Linux ready for safety related applications?
Alexander Much
Asap implementation methodology (2)
Asap implementation methodology (2)
Pradipta Mallick
Sap migration to cloud
Sap migration to cloud
PT Datacomm Diangraha
DNS sous linux
DNS sous linux
Souhaib El
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
APNIC
Make the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PROIDEA
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
APNIC
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
Consul and Complex Networks
Consul and Complex Networks
slackpad
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
DataWorks Summit/Hadoop Summit
DNSTap Webinar
DNSTap Webinar
Men and Mice
CTD406_Measuring the Internet in Real Time
CTD406_Measuring the Internet in Real Time
Amazon Web Services
DNS - MCSE 2019
DNS - MCSE 2019
Milad Es'Haghi
Building Linux IPv6 DNS Server (Draft Copy)
Building Linux IPv6 DNS Server (Draft Copy)
Hari
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Denial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
More Related Content
What's hot
All your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Ahmed El-Arabawy
SAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codes
Jitendra Ahir
Is Linux ready for safety related applications?
Is Linux ready for safety related applications?
Alexander Much
Asap implementation methodology (2)
Asap implementation methodology (2)
Pradipta Mallick
Sap migration to cloud
Sap migration to cloud
PT Datacomm Diangraha
DNS sous linux
DNS sous linux
Souhaib El
What's hot
(7)
All your SAP passwords belong to us
All your SAP passwords belong to us
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1)
SAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codes
Is Linux ready for safety related applications?
Is Linux ready for safety related applications?
Asap implementation methodology (2)
Asap implementation methodology (2)
Sap migration to cloud
Sap migration to cloud
DNS sous linux
DNS sous linux
Similar to Getting Started with a DNS Firewall
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
APNIC
Make the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PROIDEA
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
APNIC
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
Consul and Complex Networks
Consul and Complex Networks
slackpad
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
DataWorks Summit/Hadoop Summit
DNSTap Webinar
DNSTap Webinar
Men and Mice
CTD406_Measuring the Internet in Real Time
CTD406_Measuring the Internet in Real Time
Amazon Web Services
DNS - MCSE 2019
DNS - MCSE 2019
Milad Es'Haghi
Building Linux IPv6 DNS Server (Draft Copy)
Building Linux IPv6 DNS Server (Draft Copy)
Hari
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Denial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
Oracle Databases on AWS - Getting the Best Out of RDS and EC2
Oracle Databases on AWS - Getting the Best Out of RDS and EC2
Maris Elsins
Quad9 and DNS Privacy
Quad9 and DNS Privacy
CSUC - Consorci de Serveis Universitaris de Catalunya
OpenStack and NetApp - Chen Reuven - OpenStack Day Israel 2017
OpenStack and NetApp - Chen Reuven - OpenStack Day Israel 2017
Cloud Native Day Tel Aviv
Born to be fast! - Aviram Bar Haim - OpenStack Israel 2017
Born to be fast! - Aviram Bar Haim - OpenStack Israel 2017
Cloud Native Day Tel Aviv
Similar to Getting Started with a DNS Firewall
(20)
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Consul and Complex Networks
Consul and Complex Networks
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
DNSTap Webinar
DNSTap Webinar
CTD406_Measuring the Internet in Real Time
CTD406_Measuring the Internet in Real Time
DNS - MCSE 2019
DNS - MCSE 2019
Building Linux IPv6 DNS Server (Draft Copy)
Building Linux IPv6 DNS Server (Draft Copy)
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
Denial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC signing Tutorial
DNSSEC signing Tutorial
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Oracle Databases on AWS - Getting the Best Out of RDS and EC2
Oracle Databases on AWS - Getting the Best Out of RDS and EC2
Quad9 and DNS Privacy
Quad9 and DNS Privacy
OpenStack and NetApp - Chen Reuven - OpenStack Day Israel 2017
OpenStack and NetApp - Chen Reuven - OpenStack Day Israel 2017
Born to be fast! - Aviram Bar Haim - OpenStack Israel 2017
Born to be fast! - Aviram Bar Haim - OpenStack Israel 2017
More from APNIC
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
APNIC
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
APNIC
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
APNIC
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
APNIC
More from APNIC
(20)
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
Recently uploaded
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
Matthew Sinclair
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
AanSulistiyo
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
rahman018755
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
SUHANI PANDEY
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
Matthew Sinclair
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
growthgrids
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
nirzagarg
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
nirzagarg
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
Matthew Sinclair
Recently uploaded
(20)
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
Getting Started with a DNS Firewall
1.
© 2017 ISC Getting
started with a DNS Firewall (DNS RPZ) APRICOT 2018
2.
© 2017 ISC Agenda §
DNS firewall basics § Case Study - Rackspace § Getting Started – technical implementation – steps to trial RPZ § Summary and References
3.
© 2017 ISC Why
do you need a DNS firewall? Botnet C&C Malware Phishing Legitimate
4.
© 2017 ISC Intercept
and remove abuse domains from responses Botnet C&C Malware Phishing Legitimate Interrupt botnet comms. Identify compromised machines Prevent new infections. Block phishing attempts and educate users Free resources for legitimate queries
5.
© 2017 ISC Hosted
services have raised the bar Outsourced resolver services § Google DNS § Quad9.net (launched in late November) § OpenDNS (commercial service from Cisco) § Akamai appliances (recently purchased Nominum) Traditional In-house resolver § Keep your data in-house § Lower cost § Greater control § Improve network security by adding well- maintained RPZs from security experts
6.
© 2017 ISC DNS
Filtering with RPZ § Reputation data is packaged into Response Policy Zones (RPZs) § RPZ’s update frequently via IXFR/AXFR § RPZs include both the filter criteria, and a ‘response policy’ action § DNS software evaluates whether its response matches a filter in the RPZ and applies the policy specified
7.
© 2017 ISC RPZ
Implementations § Open-source – Knot – PowerDNS – BIND § Commercial – Akamai – Bluecat – EfficientIP – Infoblox
8.
© 2017 ISC RPZ
re-writes Responses BIND Recursion or lookup in cache Client Request Response RPZ !) Check response vs RPZ zone files 2) Match on clientIP, Server IP, NSDNAME, etc 3) Apply policy, re-write response 4) Send response 5) write log Re-written response could be: Passthrough NXDOMAIN NODATA local-data DROP
9.
© 2017 ISC BIND
RPZ support Triggers (Filter index) § Qname (FQD) § Client-IP (.rpz- client-ip) § IP (.rpz-ip) § NSDNAME (.rpz-nsdname) § NS-IP (rpz-nsip) Actions § NXDomain § NODATA § Passthru § TCP-Only § DROP § Local-Data
10.
© 2017 ISC Walled
Garden Application Send infected clients to quarantine zone $ORIGIN rpz.example.com. ns.0xc0flc3a5.com.rpz-nsdname CNAME *.walled-garden.example.com Trigger the rpz rule based on the well-known server name for Conficker The “*” prepends the query name to the response racaldftn.com.ai. CNAME racaldftn.com.ai.walled-garden.example.com. racaldftn.com.ai.walled-garden.example.com. A 192.168.50.3 The query is captured in the server logs on the walled garden, identifying the virus You have a walled garden set up that is not part of your rpz $ORIGIN walled-garden.example.com. * A 192.168.50.3
11.
© 2017 ISC RACKSPACE
CASE STUDY
12.
© 2017 ISC Rackspace • Provides
DNS resolution for hosted applications • Wanted to protect customers and the network from Botnets responsible for DDOS • Implemented RPZ company wide October 2016 after extensive testing and evaluation
13.
© 2017 ISC Case
Study - Rackspace - Blocked Abuse Outbound beaconing traffic reduced from ~ 80 MBPS to near zero Botnet C&C C&C other Outbound Inbound
14.
© 2017 ISC Case
Study - Rackspace Domains Blocked by Spamhaus RPZ lists
15.
© 2017 ISC Case
Study - Rackspace - ‘Hits’ at Rackspace for Spamhaus zones Millions It’s not all about the # of hits. Significant negative consequences averted by blocking Botnets and Malware sites.
16.
© 2017 ISC Rackspace
Experience Domains Blocked 217,708 RPZ Hits 275,000,000 Devices Protected 8,734
17.
© 2017 ISC Rackspace
Experience • Able to mitigate infected clients upon activation of RPZ • Notified other users who potentially had the same issues • Prevented large bills / extended downtime for customers who were infected • Support and abuse teams more aware of potential large scale infections
18.
© 2017 ISC GETTING
STARTED WITH RPZ IN BIND
19.
© 2017 ISC How
to enable DNS RPZ and use Spamhaus’ free DROP zone 1. Enabling RPZ logging 2. Creating a local RPZ zone 3. Defining Master and Slave zones 4. Enabling RPZ
20.
© 2017 ISC 1)
Enabling RPZ Logging logging { channel rpzlog { file”rpz.log” versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; }; };
21.
© 2017 ISC 2)
Create Local Zone $TTL 300 @ IN SOA localhost.rpz.local ( 20170913 ; Serial number 60 ; Refresh every minute 60 ; Retry every minute 432000; Expire in 5 days 60 ) ; negative caching ttl 1 minute IN NS LOCALHOST. isc.org IN CNAME rpz-passthru. *.isc.org IN CNAME rpz-passthru. 32.25.195.32.rpz-ip IN CNAME rpz-passthru. ;whitelist 34.194.195.25/32 32.71.219.35.rpz-ip IN CNAME rpz-passthru. ;whitelist 35.156.219.71/32 baddomain.com IN CNAME . ;local block against baddomain.com *.baddomain.com IN CNAME . ;local block against *.baddomain.com
22.
© 2018 ISC 3)
Defining zones in configuration zone “rpz.local” { type master; file “rpz-zone/db.rpz.local”; allow-transfer { none; }; allow-query { localhost; }; }; Master Zone 22
23.
© 2018 ISC 3)Defining
zones in configuration zone “drop.rpz.spamhaus.org” { type slave; file “db.drop.rpz.spamhaus.org”; masters { 35.156.219.71; 34.194.195.25; }; allow-transfer { none; }; allow-query { localhost; }; }; Slave Zone 23
24.
© 2017 ISC 4)
Enabling Response Policy Zone options { response policy { zone “rpz.local”; zone “drop.rpz.spamhaus.org”; }; };
25.
© 2017 ISC Notes
to consider § Create a backup of your named.conf § Test first with passthru 10-14 days § Always have your local zone listed first in priority and others by most egregious § Consider customer notification prior to implementation
26.
© 2017 ISC SUMMARY
27.
© 2017 ISC Requirements §
BIND 9.12 has refactored (faster, non-blocking RPZ) § BIND 9.9 or later will work § Subscribe to one or more RPZ feeds § RPZ feeds are available from: Spamhaus/Deteque, SURBL, Farsight, Switch (see dnsrpz.info)
28.
© 2017 ISC Recommendations §
As with any blocklist, you have to be on the watch for false-positives. § Subscribe to a well-managed list(s) § Enable RPZ in log-only mode at first § Establish passthrough for local zones § Monitor RPZ logs
29.
© 2017 ISC Don’t
forget ... the importance of white listing your own internal zones to prevent accidental blocking https://kb.isc.org/article/AA-00522/0
30.
© 2017 ISC What
is ‘FastRPZ’ § A new RPZ service module from Farsight Security – separate software, not open source – loads large zones faster than even BIND 9.12 § BIND 9.12 has a RPZ Service Interface that will hand off RPZ work to this module § The RPZ service module is external to BIND and can support multiple DNS software systems (e.g. Unbound)
31.
© 2017 ISC References RPZ
web site with data feed providers list - https://dnsrpz.info Security Zones - Rackspace Case Study http://www.securityzones.net/images/downloads/Rackspace-RPZ- Case-Study.pdf Free Trial - http://www.securityzones.net/free-trial.html KB articles on RPZ: https://kb.isc.org/article/AA-00525/110/Building- DNS-Firewalls-with-Response-Policy-Zones-RPZ.html Installation Guide for BIND with RPZ with links to example files: https://www.isc.org/wp-content/uploads/2017/11/BIND_RPZ.pdf DNS Response Policy Zones IETF draft: https://tools.ietf.org/html/ draft-ietf-dnsop-dns-rpz-00
32.
© 2017 ISC QUESTIONS
33.
© 2017 ISC Thank
You! contacts: info@isc.org