eu got to be kidding me

citizen may the children’s entertainer

The zoo had some eu domains* and they are to be withdrawn within a year or so was the plan with brexit going sideways with the childrens entertainer at the helm.   Its a lot of work for me and the zoo which i have already done/.

One is basically a secondary mx, the other is used by users.

So I and my users had to

  • buy new domains
  • move email
  • create dns zones
  • sign the zones
  • redirect  mailstores
  • add mail servers
  • web things
  • etc

So all of a sudden i have a shit load of stuff to do.  Domains are more popular then they used to be but i got some good replacements cheaply.  In a couple of hours i got a basic dns zone setup that has a slave which i can change registar nameservers to.

I have to delete a number of zone file records in the existing zones too

Fuck you if voted to leave and enjoy Mays balloon animals.

*since 2008 or whenever they got released.

Sherman Hopkins jr and domain name theft

Sherman Hopkins, Jr., (aged 43 in 2018) , from Cedar Rapids is famous for all the wrong reasons for using robbery of a person to steal a domain name.

Bullets where used.

Unlike sex.com (my blog) a more ingenious theft despite its paper trail means he was not the first.

Hopkins is now famous for being a first to use violence and so will go down in history as a trailblazer.  Maybe he can save up and rent a domain name in 2039 when this thug leaves prison.

Normally that’s what you do.  I think rentathug.com might be available then, or ShermanHopkinsthug is something well worth looking at i am sure Mr Hopkins will get what he wants with his skillset.

rpz secret society woes in bind on debian

Sisyphus is still a role model

So i wanted a dns firewall, (my blog) i did not want to pay or use a blocklist nameserver so it was time to do it yourself.  So our dns nameserver got upgraded eventually and i had a go.

rpz’s supposedly made this easy with all bad sites in one file opposed the many files per site.tld [per xone in rbldns and slow]- although rpz usage is hard to track down.   My first attempt was met with

ignoring out-of-zone data (citricbenz. website)

Apparently should be made with

citricbenz. website. in cname .

Citrixbenz is a zeus trojan server* when i wrote this and still might be and the only entry in my zone

However it dont work until you assign a policy and they have bizarre syntax. Something kind of does and does not work

changed from 2 to 1 qname, 0 to 0 nsdname, 0 to 0 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries

So something is working.

The next day was interesting as i used the chrome browser which passed along my attempts to access the named example – i had to assure cbl that i was not zeus infected as i use cbl on the zoos website (my blog) .  Moral of the tale do not use google software things to try out security stuff.

Having fixed that issue on our internal router i had a bit more luck and got a working rpz zone by blocking yahoo.com as that s safer to test with and my attempts to display a redirected website message ended in failure although nxdomain works.

I still seem to be resolving the real ip rather than lookup to the zone i created. which means i am close and i achieved interception of the request with

zone "internal.zoo" policy passthru;
zone "rpz.zoo" policy cname compromised.zoo;

the cname compromised.zoo redirects the bad site request ** to compromised.zoo. – .zoo being our domain name/tld and compromised being the zone name. It tells a user that something is wrong

Logging is important here.

Order matters here [precedent] the passthru is first, and the more restrictive.  note the lack of semi colons and quote statements which feels a bit odd when option { x; y; z }; is the normal syntax bind knows and parses and most of us expect.

Your webbroswer is faster than our dns rpz.and has the same data

So a race condition can develop.,If you have infected things the rpz will do more than just the browser blocklist your browser uses. although the log will detect the rpz hit.

client internal.zoo.lan#16983 (windrushvalleyjoinery.co.uk): rpz QNAME DROP rewrite windrushvalleyjoinery.co.uk via windrushvalleyjoinery.co.uk.malware.zoo

This stuff is quite hard to figure out

As to who’s fault this is after all the zoo clearly should be paying some security firm for this by the three and half dns professionals on the internet who guard this knowledge like a secret, or is out of date

Stats are interesting bind reported

[malware.zoo]
                   7 response policy zone rewrites

So not informative – that seems a good place to end.

I might do a further post on how i make zones but being honest the zoo appears to be immune from visiting dodgy sites as either the browser stops it and so while the zones exist they do not trigger for lack of a match.

the day the internet came and visited our nameservers and probed them.

I bought replacement domain names (my blog) , created zones (plus slaves), and move the glue to our name servers and after doing dnssec (my blog) boom everybody came and visited.

I have no records except for ns and the dnssec but I have managed to clear 300 emails informing me of these hosts exploring our zone  The end of the day stats where.

Banned services with Fail2Ban: Bans:Unbans
named-refused: [337:337]
.

I think that’s pretty good going to buy a domain, setup dnssec, and move name servers in a day while also doing other things.    You all looked up some odd reords that would never exist

My configuration error was with an acl which had me flummoxed for a time later since i saw no issue with the appended zone file contents , and after ‘fixing’ everything else it then dawned on me stupidity that the config acl was to blame.

Those bans would have still triggered.

Since i had not advertised the domain name in any way i was impressed by the activity and since there is not a lot you can do with an empty zone except admire the dnssec (my blog)

That must have been it – very cool dnssec

domain registrar upgrade fail

Carol Beer little britain says computer said no

I was using  a registrar who upgraded there website. I did not like it and was going to lose the domains* anyhow but i was forced to upgrade to the new system which sort of worked but undid a lot of stuff.

I recently tried to re-login and found the enrol of user account did not complete.  Something had timed out.

Could have but did not – why bother.

*i dns poisoned those domains.

slave zones and rpz config with bind

Eventually the zoo has set up a secondary dns server on separate hardware and i had the job of doing the slave zones.  Having done much of the grunt work the zones did not want to transfer as somebody forgot to setup rdnc.

Once done things worked and we now have two rpz serving dns servers. – i was not sure if i needed the rpz config on both but it makes sense to me.

retards with dmarc smartfocus.onmicrosoft.com

Crook

Another retard who used Microshit (my blog)

dmarc-722-08-92xze@emvdmarc.com
Remote Server returned ‘554 4.3.2 mailbox busy; STOREDRV.Deliver.Exception:StoragePermanentException.MapiExceptionMaxObjsExceeded; Failed to process message due to a permanent exception with message Cannot complete delivery-time processing. 16.55847:B1020000, 17.43559:0000000090000000000000000000000000000000, 20.52176:140FE5810F0010106C020000, 20.50032:140FE5817F17101071020000, 0.35180:03000B37, 255.23226:76020000, 255.27962:0E000000, 255.31418:7B020000, 16.55847:8F010000, 17.43559:0000000090020000000000000F00000000000000, 20.52176:140FE5810F0010105B050000, 20.50032:140FE5817F17101060050000, 0.35180:0A00B780, 255.23226:65050000, 255.27962:0A000000, 255.27962:9E000000, 255.17082:E4040000, 0.18273:6F050000, 4.21921:E4040000, 255.27962:FA000000, 255.1494:0A00BB80, 255.1238:79050000, 1.29920:07000000, 7.29828:41420F000000000000000000, 7.29832:40420F000000000005000780, 4.45884:E4040000, 4.29876:E4040000, 4.30344:E4040000, 4.37696:E4040000, 4.58176:E4040000, 7.40748:010000000000010C00000000, 7.57132:00000000000000000F010480, 1.63016:9E000000, 4.39640:E4040000, 8.45434:10D38DFFA885F2418179636382C870570F010480, 5.10786:0000000031352E32302E303438352E3031353A5649315052303630314D42323430303A38623266373864612D303436612D343561632D393363352D383533343364623537393438000F010480, 255.1750:C4050000, 255.31418:80030400, 0.22753:80030400, 255.21817:E4040000 [Stage: DeliverMessage]’

Well done retards prove yet again that microsoft is really crap at everything.

Gandi [dns registrar] pisses me off by migrating and forgetting two year old changes.

Sisyphus is still a role model

Two years ago i had to alter some whois records which is not particularly hard and i did a lot of them checking them as well since it is a time consuming activity i did not want to redo.  – I was happy and ..

Gandi not the indian decided to roll back some of my changes and make me migrate to some horrible web interface just to do anything including  re-changing whois contacts with the information from two years ago to what it should have been but the new thing thought was best when i went back recently.

I wont be buying domains from gandi anytime soon.  While it might be pretty having to re change something just because of an upgrade is annoying.

I think i know how this revoke happened and logically while it may have been the migration logic to role back the changes i did nothing wrong since i did make them but from the wrong contact which apparently was bad.  Go figure.

rpz updates in the real world

So after this i discovered that the updates where not huge so i waited a day and counted,  my diff syntax left much to be desired

$ wc -l domains.txt domains.old ips.txt ips.old
15269 domains.txt
15125 domains.old
1903 ips.txt
2010 ips.old

Cleaning up except the house

So dns went up, and the ip side of things went down – it seems isp’s do clean up bad ip’s, but not those with dns.

Another day in rpz mode

wc -l domains.rpz domains.rpz.0
30193 domains.rpz.0
31027 domains.rpz

So not a lot of movement -166 in a day  rpz.0 is older and  the rpz file the freshest.

Since the zoo does not pay for rpz access your still need a virus scanner on email since some names and ip’s are a bit too fresh.   But saying that the rpz will drop traffic from intenal clients so if you have  to deal shit microsoft clients your generally a lot safer.

I log rpz activity and only i have triggered them so far, so for the zoo its probably unnecessary being a non microsoft shop since ms software is a security threat (my blog).

Updates will be made to the rpz’s but not often after all if your domain or ip’s are listed then you probably deserve some quarantine period.

Spamhauses drop lisrs do not really change

wc -l drop.txt drop.txt.0 edrop.txt edrop.txt.0
800 drop.txt
801 drop.txt.0
56 edrop.txt
56 edrop.txt.0

Comm utility output is hard to gauge although the lines remain the same, it would appear i have to sort to get a meaningfull changes.

dkim goes weird

postman pat is faster than yahoo

postman pat is faster than yahoo

The zoo lost it’s dkim somewhere (my blog) during an tls upgrade i still had spf and tls so when a dmarc report (my blog) alerted me i spent a few days trying to figure out what went wrong.

No user informed me ether

opendkim is downright zen like at times with messages like ‘not internal’ but eventually it seems adding some ip addresses in trusted hosts file and some _adsp dns lines kind of worked.

I do not quite grok adsp and atps with its base32 stuff that i failed to decode and if i am feeling odd i will blog more on those things since we all love those kind of blog posts.

zoo4 domain still has a problem still but it was last to be fixed – one more day and i try again as i now have spf,dkim and tls working on the other three domains and zoo4 generally does not send email but i would love to know why it stopped working

Most people would not notice.   Which is telling.

Probably something normal tomorrow if you have no idea what i going on about today