blackhole dns question

Printable View

July 10th, 2006, 06:07 PM
phishphreek

blackhole dns question

I've been running blackhole dns for a while now. Ever since tigershark brought it to my attention.
It's been working fine and I update it on a daily basis via a batch file. I also append other domains to it as needed.

If I were to ping google using either google.com or www.google.com it works.

Quote:

C:\Documents and Settings\user>ping google.com

Pinging google.com [72.14.207.99] with 32 bytes of data:

Reply from 72.14.207.99: bytes=32 time=52ms TTL=237
Reply from 72.14.207.99: bytes=32 time=31ms TTL=237
Reply from 72.14.207.99: bytes=32 time=29ms TTL=237
Reply from 72.14.207.99: bytes=32 time=32ms TTL=237

Ping statistics for 72.14.207.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 29ms, Maximum = 52ms, Average = 36ms

Quote:

C:\Documents and Settings\user>ping www.google.com

Pinging www.l.google.com [64.233.161.104] with 32 bytes of data:

Reply from 64.233.161.104: bytes=32 time=22ms TTL=239
Reply from 64.233.161.104: bytes=32 time=18ms TTL=239
Reply from 64.233.161.104: bytes=32 time=18ms TTL=239
Reply from 64.233.161.104: bytes=32 time=17ms TTL=239

Ping statistics for 64.233.161.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 22ms, Average = 18ms

If I ping 000info.com and www.000info.com the 000info.com doesn't resolve.

Quote:

C:\Documents and Settings\user>ping 000info.com
Ping request could not find host 000info.com. Please check the name and try again.

Quote:

C:\Documents and Settings\user>ping www.000info.com

Pinging www.000info.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Wildcards also work fine... say I ping alksdfjla;skjdflasf.000info.com

Quote:

C:\Documents and Settings\user>ping alksdfjla;skjdflasf.000info.com

Pinging alksdfjla;skjdflasf.000info.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Don't get me wrong. I'm happy it won't resolve the 000info.com. Just curious as to why.

I originally followed the guide on bleedingsnort.com.
I've doublechecked my config and everything is setup just like it should be.

http://www.bleedingsnort.com/blackhole-dns/#MS

My blockdomains.com.dns file looks like this:

Quote:

;
; Database file blockeddomains.com.dns for blockeddomains.com zone.
; Zone version: 4
;

@ IN SOA nameserver.blockeddomains.com. admin.blockeddomains.com. (
4 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; minimum TTL

;
; Zone NS records
;

@ NS nameserver.blockeddomains.com.

;
; Zone records
;

www A 127.0.0.1
* A 127.0.0.1

Note: The lines referring to the domain (blockeddomains.com) and nameserver (nameserver.blockeddomains.com) have been replaced with my domain and nameserver in my file.

A snippet of the boot file would be like this:

Quote:

;
; Boot information written back by DNS server.
;

forwarders x.x.x.x x.x.x.x
cache . cache.dns
primary 000info.com blockeddomains.com.dns

On their website, they don't try to ping the hostname without any www or wildcard.
Note: they used a different domain than me.

Quote:

ping www.coolwebsearch.com
ping anyrandomstring.coolwebsearch.com
ping hsdsdshgdhsgd.coolwebsearch.com
nslookup www.coolwebsearch.com
nslookup ihatebrowserhijackers.coolwebsearch.com

I know that the google request is being forwared to my ISP's name servers and that the 000info.com lookup is done locally...
July 10th, 2006, 08:11 PM
thehorse13

From what I'm seeing and reading (and I may be misunderstanding you) 000info is resolving to localhost 127.0.0.1. This is simply because of the order that your OS does name resolution. I believe the order is name cache (H,P, B, local name etc), host file, then DNS.

Phishy, hit me up on IM.

--Th13
July 11th, 2006, 07:07 AM
IKnowNot

Did you get an answer from TH ??

The

Quote:

* A 127.0.0.1

in the zone file causes the actions you are speaking of; the " Wildcard DNS " entries.

It is referred on the Blackhole-dns page

I think this should answer part of your question.

Now I have a question(s):

If you are running your own DNS server, why are you using

Quote:

forwarders x.x.x.x x.x.x.x

Although it can speed things up a bit, that has always seemed like a huge security issue and has been the cause of quite a bit of havoc in the past, from my understanding.

Any reason for that?

BTW, forgot to mention something.

Have you had problems with that batch update?

I have found many times that errors in the block-files caused problems, so now I test before I apply.

Just something to think about.
July 11th, 2006, 01:56 PM
phishphreek

I don't think TH really understood what I was asking.

When I ping google.com without the www or any wildcard, I get a reply.

When I ping 000info.com (or any other domain in that list) without the www or any subdomain, I don't get a reply. I have not tried to append all those domains to my hosts file and tie them to localhost. That *should* do it, but I was curious as to why I would need to do that and DNS wouldn't resolve the address without the www or subdomain.

If I wanted it to resolve the domain without the www or *, how would I do that?

I'm in an Active Directory environment. As such, you can't run blackhole dns on an AD DNS server. (They don't allow you to load from a file. Just AD/registry.)

I have these stand alone DNS servers being forwarded to my internal AD DNS servers.

I have not had problems with the batch update. I archive the previous files boot files. So, if there should be a problem, I can easily restore to the working. Also, if there is no new file, the batch fails and it keeps the same boot file in place.

(err, scratch that. I did have one problem where there was a dupplicate domain in the block file which prevented the dns server from restarting. It only affected one server as I have them on different schedules and once I saw the problem, I was able to fix it before the others had problems. I was thinking of doing a script to check the file for duplicates before applying, but I haven't really had any problem with it since.)
July 11th, 2006, 05:48 PM
IKnowNot

OK, I think I understand the question now.

Everything works like it should, ( resolving to the 127.0.0.1 )

EXCEPT just using the name exactly as it is in the boot file ( block list )

example:

www.000info.com resolves to 127.0.0.1
Anything.000info.com resolves to 127.0.0.1

But
000info.com won't resolve

and the boot file contains 000info.com

That's just freaking weird!

I am using BIND and do not have that problem.

The only thing I can think of is maybe it is being picky about the syntax of the zone file?
July 11th, 2006, 05:57 PM
phishphreek

exactly. in the blackhole dns config guide, they didn't even show an example of just trying to resolve the domin without the www or subdomain.

I'm pretty sure I have the config setup properly...

I also thought it was pretty weird...

I *think* that when I originally set this up, it worked fine. But I'm not 100% on that.
July 12th, 2006, 06:46 AM
rcgreen

If it doesn't resolve to 127.0.0.1 it isn't working.

Code:

rcgreen@blue:~$ nslookup 00info.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: 00info.com Address: 127.0.0.1 rcgreen@blue:~$ nslookup www.00info.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: www.00info.com Address: 127.0.0.1

Code:

rcgreen@blue:~$ ping www.00info.com PING www.00info.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.010 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.014 ms --- www.00info.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.010/0.012/0.014/0.002 ms rcgreen@blue:~$ ping 00info.com PING 00info.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.009 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.015 ms --- 00info.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.009/0.012/0.015/0.003 ms

The reason it isn't resolving is because the host is down, not because
of your black hole dns. The request is being forwarded to your ISP,
and then failing to resolve. Probably something wrong with the syntax
of your zone file.
:cool:
July 12th, 2006, 12:37 PM
phishphreek

Ok, I'll doublecheck the syntax of the zone file when I get in this AM.

As far as I can tell, the zone file matches the example they have 100% except for the domain info and nameserver info has been changed to match my environment and forwarders to my AD DNS servers have been added.

I'll delete the zone and start new and then add the wildcard and see if that helps at all.

BTW: Why would it matter if the actual host is down? It *should* be resolving to localhost in which case the "host" would never be down unless there is a problem with the NIC on the machine making the DNS inquiry.
July 12th, 2006, 04:07 PM
rcgreen

Quote:

BTW: Why would it matter if the actual host is down?

It shouldn't. It should resolve to 127.0.0.1 no matter what, but if the
host was up, it would not be blocked because your system is forwarding
the request to your forwarder rather than handling it locally.