Skip to content
Permalink
Browse files

ioc2rpz is a place where threat intelligence meets DNS

  • Loading branch information...
Homas committed Feb 25, 2019
1 parent 011b310 commit 4c8331d53b7f923ed68ffb1abb2a213801eda9fd
Showing with 258 additions and 240 deletions.
  1. +4 −1 ChangeLog.md
  2. +5 −2 README.md
  3. +1 −0 TODO.md
  4. +8 −3 cfg/ioc2rpz.conf
  5. +6 −4 include/ioc2rpz.hrl
  6. +114 −98 src/ioc2rpz.erl
  7. +28 −11 src/ioc2rpz_proc_sup.erl
  8. +92 −121 src/ioc2rpz_sup.erl
@@ -1,12 +1,15 @@
# ioc2rpz change log
[CB] - Changed Behaviour

## 2019-02-24 v0.9.2.0
- DoT (DNS over TLS) support for zone transfer, SOA and management requests (DNS Notify is not supported).

## 2019-02-22 v0.9.1.1
- UDP service moved under supervisor

## 2019-02-15 v0.9.1
- [CB] Connection and key validation log messages were formated in CEF
- [ ] Request to reload TSIG keys list only.
- Request to reload TSIG keys list only.

## 2018-09-22
- IPv6 support
@@ -298,8 +298,10 @@ responsepolicyzone,notracking.ioc2rpz,FORWARD,Nxdomain,,default,responsepolicy,s
### Sample DIG (to get SOA)
```
dig @94.130.30.123 -y hmac-sha256:ioc2rpz-public:CM1HB7f6JC5lwRa5SruT2A== dns-bh.ioc2rpz SOA
dig @94.130.30.123 -y hmac-sha256:ioc2rpz-public:CM1HB7f6JC5lwRa5SruT2A== notracking.ioc2rpz SOA
dig @94.130.30.123 -y hmac-sha256:ioc2rpz-public:CM1HB7f6JC5lwRa5SruT2A== dns-bh.ioc2rpz SOA
dig @94.130.30.123 -y hmac-sha256:ioc2rpz-public:CM1HB7f6JC5lwRa5SruT2A== notracking.ioc2rpz SOA
kdig @94.130.30.123 -y hmac-sha256:ioc2rpz-public:CM1HB7f6JC5lwRa5SruT2A== dns-bh.ioc2rpz SOA +tls

```
## Some free threat intelligence feeds
@@ -322,6 +324,7 @@ You can find other IOC feeds on the wiki-page: https://github.com/Homas/ioc2rpz/
- [A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)](https://tools.ietf.org/html/rfc1996)
- [Extension Mechanisms for DNS (EDNS(0))](https://tools.ietf.org/html/rfc6891) + [ENDS Option Codes](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11)
- [Domain Name System (DNS) Cookies](https://tools.ietf.org/html/rfc7873)
- [Specification for DNS over Transport Layer Security (TLS)](https://tools.ietf.org/html/rfc7858)
# License
Copyright 2017 - 2018 Vadim Pavlov ioc2rpz[at]gmail[.]com
@@ -3,6 +3,7 @@
## Core
- [ ] DoH https://tools.ietf.org/html/rfc8484
- [ ] DoT https://tools.ietf.org/html/rfc7858
- [ ] DoD https://tools.ietf.org/html/draft-ietf-dprive-dnsodtls-06
- [ ] Redo AXFR logs
- [x] Error log messages in CEF
- [ ] MGMT Request to update TSIG keys and RPZs
@@ -1,4 +1,4 @@
%Copyright 2017-2018 Vadim Pavlov ioc2rpz[at]gmail[.]com
%Copyright 2017-2019 Vadim Pavlov ioc2rpz[at]gmail[.]com
%
%Licensed under the Apache License, Version 2.0 (the "License");
%you may not use this file except in compliance with the License.
@@ -15,7 +15,12 @@
%ioc2rpz configuration file

%Server's NS record, email and MGMT keys
{srv,{"ns1.rpz-proxy.com","support.rpz-proxy.com",["dnsmkey_1","dnsmkey_2","dnsmkey_3"],["127.0.0.1"]}}.
{srv,{"ns1.rpz-proxy.com","support.rpz-proxy.com",["dnsmkey_1","dnsmkey_2","dnsmkey_3"],["127.0.0.1","::1"]}}.

%Certificate for DoT
%???ciphers,reuse_sessions,protocol_version 'tlsv1.2', hibernate_after
%{cert,{"cfg/certfile.pem", "cfg/keyfile.pem", "cfg/cacertfile.pem"}}.
{cert,{"cfg/ioc2rpz_dot.crt", "cfg/ioc2rpz_dot.key", ""}}.

%Keys
{key,{"dnsproxykey_1","md5","apXqLsDs90H213eV6LS9ryYp5tY8YTpkttOkRCve7dp1Zeob3SGAbaVU9BShpsW25MmR8mTiX5OY0Qetv977Yw=="}}.
@@ -56,7 +61,7 @@

%Non cacheable/live RPZ from a local file
{rpz,{"duplicate.ioc2rpz",7202,3600,2592000,7200,"false","false","nodata",["dnsproxykey_1"],"fqdn",30,30,["duplicate"],[],[]}}.
{rpz,{"duplicate_c.ioc2rpz",7202,3600,2592000,7200,"true","true","nodata",["dnsproxykey_1"],"fqdn",30,30,["duplicate"],[],[]}}.
{rpz,{"duplicate_c.ioc2rpz",7202,3600,2592000,7200,"true","true","nodata",["dnsproxykey_1", "dnsproxykey_2"],"fqdn",30,30,["duplicate"],[],[]}}.

%Local response
%{rpz,{"localdata.ioc2rpz",7202,3600,2592000,7200,"false","true",[{"local_aaaa","fe80::1"},{"local_a","127.0.0.1"},{"local_a","127.0.0.2"},{"local_a","127.0.0.3"},{"local_a","127.0.0.4"},{"local_cname","www.example.com"},{"local_txt","Text Record www.example.com"},{"local_txt","Text Record 2"}],["dnsproxykey_1", "dnsproxykey_2"],"mixed",30,30,["small_ioc"],[],["whitelist_1","whitelist_2"]}}.
@@ -19,6 +19,7 @@
-define(DBStorage,ets). %Defines DBStorage to use. CFG and HotCache are always ETC (may be will be switched to MAP, need profiling)
-define(SaveETS,false). % Save DB into files if DB is ETS.
-define(Port,53). %DNS Port
-define(PortTLS,853). %DoT Port
-define(TTL,900). %Default record TTL

%-define(logTS, true). % Log timestamps (comment or uncomment)
@@ -38,7 +39,7 @@
%%%%%%
%%%%%% Do not modify any settings below the line
%%%%%%
-define(ioc2rpz_ver, "0.9.1.1-2019022201").
-define(ioc2rpz_ver, "0.9.2.0-2019022401").

-define(ZNameZip,16#c00c:16). %Zone name/original fqdn from a request is always at byte 10 in the response
-define(MaxZipPSize,16#3FFF:16). %Max packet size to zip DNS labels
@@ -103,13 +104,14 @@
-record(dns_SOA_RR, {name, type, class, ttl, rdlength, mname, rname, serial, refresh, retry, expire, minimum}).

%State record
-record(state, {socket, socket6, params}).
-record(state, {socket, tls, params}).

%Protocol udp/tcp + qname, qtype, qclass, keyname
-record(proto, {proto,rip,rport, qname, qtype, qclass, keyname}).
-record(proto, {proto, tls, rip, rport, qname, qtype, qclass, keyname}).

%Config params
-record(srv, {server,email,mkeys,acl}).
-record(cert, {certfile,keyfile,cacertfile}).
-record(srv, {server,email,mkeys,acl,cert}).
-record(key, {name,alg,key,name_bin}).
%SOA timers refresh, retry, expiration, neg_ttl
%status: notready, updating, ready

0 comments on commit 4c8331d

Please sign in to comment.
You can’t perform that action at this time.