tag:blogger.com,1999:blog-37798047.post4611820381688965882..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: How would you use Lua scripting in a DNS server?David Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-37798047.post-72165082694401504142015-06-26T00:59:34.551-04:002015-06-26T00:59:34.551-04:00You could use it to trigger on patterns indicative...You could use it to trigger on patterns indicative of malicious behavior. DNS is often a component of advanced attack patterns.scalefreehttps://www.blogger.com/profile/09330609120212482438noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-32658703995990025292015-06-22T15:56:44.041-04:002015-06-22T15:56:44.041-04:00It just so happens that Verisign offers Global Ser...It just so happens that Verisign offers Global Server Load Balancing based on LUA scripts that is very similar to the model described here. You can see an overview of the service at http://www.verisigninc.com/en_US/security-services/website-traffic-management/index.xhtml. The Lua scripts run against every query to a DTM-enabled record at any of our global resolution sites.<br /><br />Terryhttps://www.blogger.com/profile/17300784270191544687noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-78913987609410811712015-06-19T05:29:04.143-04:002015-06-19T05:29:04.143-04:00It really sounds like a push/pull choice problem t...It really sounds like a push/pull choice problem to me. <br /><br />Personally i would incorporate this script on some nrpe checks on the servers, they would ( on Critical load status for example ) inform the Lua thread to change the DNS settings ( any of them ). <br /><br />In short, let nrpe checks on SQL/LDAP server inform the DNS server for you with a custom check script, not the other way around, it feels too much of an overhead to do it the way you described on the post ( many times per second etc ).Hristoshttps://www.blogger.com/profile/16927874154624283083noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-85163150769059616702015-06-18T21:20:51.867-04:002015-06-18T21:20:51.867-04:00One use would be to return "127.0.0.1" (...One use would be to return "127.0.0.1" (or "::1" for IPv6) for known ad network servers.Unknownhttps://www.blogger.com/profile/00069098364359675127noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-23895001517236296012015-06-17T14:43:48.054-04:002015-06-17T14:43:48.054-04:00Suppose you have two networks connected at once: a...Suppose you have two networks connected at once: a connection to work (which naturally has 10.x.y.z IP addresses) and a connection to the Internet. You want some names ("home.intranet" or "dbserver.corp.intranet") to be resolved by the work DNS server, and everything else by 8.8.8.8 . Your Lua scripting should allow that. Of course, a corporate intranet accessible by SSH would also solve this, but we're talking reality here.ThingFishhttps://www.blogger.com/profile/06563096975259002855noreply@blogger.com