-
July 10th, 2006, 06:07 PM
#1
blackhole dns question
I've been running blackhole dns for a while now. Ever since tigershark brought it to my attention.
It's been working fine and I update it on a daily basis via a batch file. I also append other domains to it as needed.
If I were to ping google using either google.com or www.google.com it works.
C:\Documents and Settings\user>ping google.com
Pinging google.com [72.14.207.99] with 32 bytes of data:
Reply from 72.14.207.99: bytes=32 time=52ms TTL=237
Reply from 72.14.207.99: bytes=32 time=31ms TTL=237
Reply from 72.14.207.99: bytes=32 time=29ms TTL=237
Reply from 72.14.207.99: bytes=32 time=32ms TTL=237
Ping statistics for 72.14.207.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 29ms, Maximum = 52ms, Average = 36ms
C:\Documents and Settings\user>ping www.google.com
Pinging www.l.google.com [64.233.161.104] with 32 bytes of data:
Reply from 64.233.161.104: bytes=32 time=22ms TTL=239
Reply from 64.233.161.104: bytes=32 time=18ms TTL=239
Reply from 64.233.161.104: bytes=32 time=18ms TTL=239
Reply from 64.233.161.104: bytes=32 time=17ms TTL=239
Ping statistics for 64.233.161.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 22ms, Average = 18ms
If I ping 000info.com and www.000info.com the 000info.com doesn't resolve.
C:\Documents and Settings\user>ping 000info.com
Ping request could not find host 000info.com. Please check the name and try again.
C:\Documents and Settings\user>ping www.000info.com
Pinging www.000info.com [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Wildcards also work fine... say I ping alksdfjla;skjdflasf.000info.com
C:\Documents and Settings\user>ping alksdfjla;skjdflasf.000info.com
Pinging alksdfjla;skjdflasf.000info.com [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Don't get me wrong. I'm happy it won't resolve the 000info.com. Just curious as to why.
I originally followed the guide on bleedingsnort.com.
I've doublechecked my config and everything is setup just like it should be.
http://www.bleedingsnort.com/blackhole-dns/#MS
My blockdomains.com.dns file looks like this:
;
; Database file blockeddomains.com.dns for blockeddomains.com zone.
; Zone version: 4
;
@ IN SOA nameserver.blockeddomains.com. admin.blockeddomains.com. (
4 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; minimum TTL
;
; Zone NS records
;
@ NS nameserver.blockeddomains.com.
;
; Zone records
;
www A 127.0.0.1
* A 127.0.0.1
Note: The lines referring to the domain (blockeddomains.com) and nameserver (nameserver.blockeddomains.com) have been replaced with my domain and nameserver in my file.
A snippet of the boot file would be like this:
;
; Boot information written back by DNS server.
;
forwarders x.x.x.x x.x.x.x
cache . cache.dns
primary 000info.com blockeddomains.com.dns
On their website, they don't try to ping the hostname without any www or wildcard.
Note: they used a different domain than me.
I know that the google request is being forwared to my ISP's name servers and that the 000info.com lookup is done locally...
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 10th, 2006, 08:11 PM
#2
From what I'm seeing and reading (and I may be misunderstanding you) 000info is resolving to localhost 127.0.0.1. This is simply because of the order that your OS does name resolution. I believe the order is name cache (H,P, B, local name etc), host file, then DNS.
Phishy, hit me up on IM.
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 11th, 2006, 07:07 AM
#3
Did you get an answer from TH ??
The in the zone file causes the actions you are speaking of; the " Wildcard DNS " entries.
It is referred on the Blackhole-dns page
I think this should answer part of your question.
Now I have a question(s):
If you are running your own DNS server, why are you using
forwarders x.x.x.x x.x.x.x
Although it can speed things up a bit, that has always seemed like a huge security issue and has been the cause of quite a bit of havoc in the past, from my understanding.
Any reason for that?
BTW, forgot to mention something.
Have you had problems with that batch update?
I have found many times that errors in the block-files caused problems, so now I test before I apply.
Just something to think about.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
July 11th, 2006, 01:56 PM
#4
I don't think TH really understood what I was asking.
When I ping google.com without the www or any wildcard, I get a reply.
When I ping 000info.com (or any other domain in that list) without the www or any subdomain, I don't get a reply. I have not tried to append all those domains to my hosts file and tie them to localhost. That *should* do it, but I was curious as to why I would need to do that and DNS wouldn't resolve the address without the www or subdomain.
If I wanted it to resolve the domain without the www or *, how would I do that?
I'm in an Active Directory environment. As such, you can't run blackhole dns on an AD DNS server. (They don't allow you to load from a file. Just AD/registry.)
I have these stand alone DNS servers being forwarded to my internal AD DNS servers.
I have not had problems with the batch update. I archive the previous files boot files. So, if there should be a problem, I can easily restore to the working. Also, if there is no new file, the batch fails and it keeps the same boot file in place.
(err, scratch that. I did have one problem where there was a dupplicate domain in the block file which prevented the dns server from restarting. It only affected one server as I have them on different schedules and once I saw the problem, I was able to fix it before the others had problems. I was thinking of doing a script to check the file for duplicates before applying, but I haven't really had any problem with it since.)
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 11th, 2006, 05:48 PM
#5
OK, I think I understand the question now.
Everything works like it should, ( resolving to the 127.0.0.1 )
EXCEPT just using the name exactly as it is in the boot file ( block list )
example:
www.000info.com resolves to 127.0.0.1
Anything.000info.com resolves to 127.0.0.1
But
000info.com won't resolve
and the boot file contains 000info.com
That's just freaking weird!
I am using BIND and do not have that problem.
The only thing I can think of is maybe it is being picky about the syntax of the zone file?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
July 11th, 2006, 05:57 PM
#6
exactly. in the blackhole dns config guide, they didn't even show an example of just trying to resolve the domin without the www or subdomain.
I'm pretty sure I have the config setup properly...
I also thought it was pretty weird...
I *think* that when I originally set this up, it worked fine. But I'm not 100% on that.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 12th, 2006, 06:46 AM
#7
If it doesn't resolve to 127.0.0.1 it isn't working.
Code:
rcgreen@blue:~$ nslookup 00info.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: 00info.com
Address: 127.0.0.1
rcgreen@blue:~$ nslookup www.00info.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: www.00info.com
Address: 127.0.0.1
Code:
rcgreen@blue:~$ ping www.00info.com
PING www.00info.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.010 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.014 ms
--- www.00info.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.010/0.012/0.014/0.002 ms
rcgreen@blue:~$ ping 00info.com
PING 00info.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.009 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.015 ms
--- 00info.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.009/0.012/0.015/0.003 ms
The reason it isn't resolving is because the host is down, not because
of your black hole dns. The request is being forwarded to your ISP,
and then failing to resolve. Probably something wrong with the syntax
of your zone file.
I came in to the world with nothing. I still have most of it.
-
July 12th, 2006, 12:37 PM
#8
Ok, I'll doublecheck the syntax of the zone file when I get in this AM.
As far as I can tell, the zone file matches the example they have 100% except for the domain info and nameserver info has been changed to match my environment and forwarders to my AD DNS servers have been added.
I'll delete the zone and start new and then add the wildcard and see if that helps at all.
BTW: Why would it matter if the actual host is down? It *should* be resolving to localhost in which case the "host" would never be down unless there is a problem with the NIC on the machine making the DNS inquiry.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 12th, 2006, 04:07 PM
#9
BTW: Why would it matter if the actual host is down?
It shouldn't. It should resolve to 127.0.0.1 no matter what, but if the
host was up, it would not be blocked because your system is forwarding
the request to your forwarder rather than handling it locally.
I came in to the world with nothing. I still have most of it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|