Forwarding DNS Queries from windows 2008 to BIND Sinkhole.

Scenario -

1 AD + DNS Win2k8 r2
1 Slackware BIND SINKPOT
1 Honeypot distribution by Brute force.

I need to forward unresolved queries from the win dns server to the bind sinkhole & then redirect to honeypot for the same domain.
mydomain.local

Has anyone done this before?
Daniel BeardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
Setting up the forwarding from Windows 2008 is straightforward.  Configure the sinkhole as the forwarding address and uncheck the option to perform recursive lookups.  If you only want to do it for mydomain.local, you configure a conditional forwarder instead of a global forwarder.


I know that BIND has similar settings, but it's in the config file rather than a GUI interface.
0
Daniel BeardAuthor Commented:
Thanks asavener, the goal is to redirect all unresolved queries to the Sinkhole server that will resolve the honeypot server, I am having a hard time getting the Sinkhole server configured correctly.
After some testing I realised that the bind server was rejecting queries and still is even though It is setup as a recursive server I also checked the configuration files to make sure everything is allowed....
Still no joy, on top of that i need to configure the sink hole server to, but first i want to make sure dns is working correctly.
0
asavenerCommented:
Can you describe a little more what you're trying to do?  Why do you not want folks to be able to resolve the address of the honeypot?  And if that's the case, why not just put in a bogus address in your DNS, like a loopback address, or even 127.0.0.2?
0
asavenerCommented:
I'm sorry, I misread what was going on....

That seems like an odd configuration.  Typically, I see honeypots with no DNS entry, no advertised services, etc. and then when someone does try to connect to it, you know they're doing something they shouldn't.

Seems to me that this setup you're wanting will cause a bunch of innocuous traffic to get directed to your honeypot, which will obfuscate the traffic you're actually wanting to see.


Anywho, I think what you're looking for can be accomplished with a wildcard dns entry.  Just create an entry for *.domain.com on your sinkhole DNS server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel BeardAuthor Commented:
Thanks Asavener ! You are right though it is an odd configuration.... but who am I to argue :P
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.