I have been tasked to setup the following
1 - Setup and maintain a dynamic list of IP addresses, using results performed using a trusted DNS resolver
2 - Also maintain a static whitelist (for business apps that require so)
3 - blackhole traffic for all IP address that do not match the whitelist.
Essentially, IP traffic for which a corresponding successful DNS request, and reply, does not exist is denied.
There is a lot of details (aging, intercepting and redirecting DNS requests sent elsewhere, etc) but disregarding them all together at this point in time by questions are:
A - Is it possible?
B - Is there a tool that exists that does that?
C - Is managing some static whitelist for legit traffic going to be a nightmare?
D - more importantly, is it a good idea to start with? Is there any real security benefit / gain in doing this?
PS I looked wide and far here, on different subs and also Google but all I could find was around the concept of using predefined FQDN in some way (different ways). This is not what I am after; any FQDN is Ok (some other system may blacklist domains, but this is another topic).
PPS Obviously, the trusted DNS resolver MUST be really good and trustful, but this is also for another topic.
No comments:
Post a Comment