Results 1 to 9 of 9

Thread: blackhole dns question

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    blackhole dns question

    I've been running blackhole dns for a while now. Ever since tigershark brought it to my attention.
    It's been working fine and I update it on a daily basis via a batch file. I also append other domains to it as needed.

    If I were to ping google using either google.com or www.google.com it works.

    C:\Documents and Settings\user>ping google.com

    Pinging google.com [72.14.207.99] with 32 bytes of data:

    Reply from 72.14.207.99: bytes=32 time=52ms TTL=237
    Reply from 72.14.207.99: bytes=32 time=31ms TTL=237
    Reply from 72.14.207.99: bytes=32 time=29ms TTL=237
    Reply from 72.14.207.99: bytes=32 time=32ms TTL=237

    Ping statistics for 72.14.207.99:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 29ms, Maximum = 52ms, Average = 36ms
    C:\Documents and Settings\user>ping www.google.com

    Pinging www.l.google.com [64.233.161.104] with 32 bytes of data:

    Reply from 64.233.161.104: bytes=32 time=22ms TTL=239
    Reply from 64.233.161.104: bytes=32 time=18ms TTL=239
    Reply from 64.233.161.104: bytes=32 time=18ms TTL=239
    Reply from 64.233.161.104: bytes=32 time=17ms TTL=239

    Ping statistics for 64.233.161.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 22ms, Average = 18ms
    If I ping 000info.com and www.000info.com the 000info.com doesn't resolve.

    C:\Documents and Settings\user>ping 000info.com
    Ping request could not find host 000info.com. Please check the name and try again.
    C:\Documents and Settings\user>ping www.000info.com

    Pinging www.000info.com [127.0.0.1] with 32 bytes of data:

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
    Wildcards also work fine... say I ping alksdfjla;skjdflasf.000info.com

    C:\Documents and Settings\user>ping alksdfjla;skjdflasf.000info.com

    Pinging alksdfjla;skjdflasf.000info.com [127.0.0.1] with 32 bytes of data:

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
    Don't get me wrong. I'm happy it won't resolve the 000info.com. Just curious as to why.

    I originally followed the guide on bleedingsnort.com.
    I've doublechecked my config and everything is setup just like it should be.

    http://www.bleedingsnort.com/blackhole-dns/#MS

    My blockdomains.com.dns file looks like this:

    ;
    ; Database file blockeddomains.com.dns for blockeddomains.com zone.
    ; Zone version: 4
    ;

    @ IN SOA nameserver.blockeddomains.com. admin.blockeddomains.com. (
    4 ; serial number
    900 ; refresh
    600 ; retry
    86400 ; expire
    3600 ) ; minimum TTL

    ;
    ; Zone NS records
    ;

    @ NS nameserver.blockeddomains.com.

    ;
    ; Zone records
    ;

    www A 127.0.0.1
    * A 127.0.0.1
    Note: The lines referring to the domain (blockeddomains.com) and nameserver (nameserver.blockeddomains.com) have been replaced with my domain and nameserver in my file.

    A snippet of the boot file would be like this:

    ;
    ; Boot information written back by DNS server.
    ;

    forwarders x.x.x.x x.x.x.x
    cache . cache.dns
    primary 000info.com blockeddomains.com.dns
    On their website, they don't try to ping the hostname without any www or wildcard.
    Note: they used a different domain than me.
    ping www.coolwebsearch.com
    ping anyrandomstring.coolwebsearch.com
    ping hsdsdshgdhsgd.coolwebsearch.com
    nslookup www.coolwebsearch.com
    nslookup ihatebrowserhijackers.coolwebsearch.com
    I know that the google request is being forwared to my ISP's name servers and that the 000info.com lookup is done locally...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    From what I'm seeing and reading (and I may be misunderstanding you) 000info is resolving to localhost 127.0.0.1. This is simply because of the order that your OS does name resolution. I believe the order is name cache (H,P, B, local name etc), host file, then DNS.

    Phishy, hit me up on IM.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Did you get an answer from TH ??

    The
    * A 127.0.0.1
    in the zone file causes the actions you are speaking of; the " Wildcard DNS " entries.

    It is referred on the Blackhole-dns page

    I think this should answer part of your question.

    Now I have a question(s):

    If you are running your own DNS server, why are you using
    forwarders x.x.x.x x.x.x.x
    Although it can speed things up a bit, that has always seemed like a huge security issue and has been the cause of quite a bit of havoc in the past, from my understanding.

    Any reason for that?

    BTW, forgot to mention something.

    Have you had problems with that batch update?

    I have found many times that errors in the block-files caused problems, so now I test before I apply.

    Just something to think about.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I don't think TH really understood what I was asking.

    When I ping google.com without the www or any wildcard, I get a reply.

    When I ping 000info.com (or any other domain in that list) without the www or any subdomain, I don't get a reply. I have not tried to append all those domains to my hosts file and tie them to localhost. That *should* do it, but I was curious as to why I would need to do that and DNS wouldn't resolve the address without the www or subdomain.

    If I wanted it to resolve the domain without the www or *, how would I do that?

    I'm in an Active Directory environment. As such, you can't run blackhole dns on an AD DNS server. (They don't allow you to load from a file. Just AD/registry.)

    I have these stand alone DNS servers being forwarded to my internal AD DNS servers.

    I have not had problems with the batch update. I archive the previous files boot files. So, if there should be a problem, I can easily restore to the working. Also, if there is no new file, the batch fails and it keeps the same boot file in place.

    (err, scratch that. I did have one problem where there was a dupplicate domain in the block file which prevented the dns server from restarting. It only affected one server as I have them on different schedules and once I saw the problem, I was able to fix it before the others had problems. I was thinking of doing a script to check the file for duplicates before applying, but I haven't really had any problem with it since.)
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    OK, I think I understand the question now.

    Everything works like it should, ( resolving to the 127.0.0.1 )

    EXCEPT just using the name exactly as it is in the boot file ( block list )

    example:

    www.000info.com resolves to 127.0.0.1
    Anything.000info.com resolves to 127.0.0.1

    But
    000info.com won't resolve

    and the boot file contains 000info.com

    That's just freaking weird!

    I am using BIND and do not have that problem.

    The only thing I can think of is maybe it is being picky about the syntax of the zone file?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    exactly. in the blackhole dns config guide, they didn't even show an example of just trying to resolve the domin without the www or subdomain.

    I'm pretty sure I have the config setup properly...

    I also thought it was pretty weird...

    I *think* that when I originally set this up, it worked fine. But I'm not 100% on that.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    If it doesn't resolve to 127.0.0.1 it isn't working.

    Code:
    rcgreen@blue:~$ nslookup 00info.com
    Server:         127.0.0.1
    Address:        127.0.0.1#53
    
    Name:   00info.com
    Address: 127.0.0.1
    
    rcgreen@blue:~$ nslookup www.00info.com
    Server:         127.0.0.1
    Address:        127.0.0.1#53
    
    Name:   www.00info.com
    Address: 127.0.0.1
    Code:
    rcgreen@blue:~$ ping www.00info.com
    PING www.00info.com (127.0.0.1) 56(84) bytes of data.
    64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.010 ms
    64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.014 ms
    
    --- www.00info.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 999ms
    rtt min/avg/max/mdev = 0.010/0.012/0.014/0.002 ms
    rcgreen@blue:~$ ping 00info.com
    PING 00info.com (127.0.0.1) 56(84) bytes of data.
    64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.009 ms
    64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.015 ms
    
    --- 00info.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 999ms
    rtt min/avg/max/mdev = 0.009/0.012/0.015/0.003 ms
    The reason it isn't resolving is because the host is down, not because
    of your black hole dns. The request is being forwarded to your ISP,
    and then failing to resolve. Probably something wrong with the syntax
    of your zone file.
    I came in to the world with nothing. I still have most of it.

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Ok, I'll doublecheck the syntax of the zone file when I get in this AM.

    As far as I can tell, the zone file matches the example they have 100% except for the domain info and nameserver info has been changed to match my environment and forwarders to my AD DNS servers have been added.

    I'll delete the zone and start new and then add the wildcard and see if that helps at all.

    BTW: Why would it matter if the actual host is down? It *should* be resolving to localhost in which case the "host" would never be down unless there is a problem with the NIC on the machine making the DNS inquiry.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    BTW: Why would it matter if the actual host is down?
    It shouldn't. It should resolve to 127.0.0.1 no matter what, but if the
    host was up, it would not be blocked because your system is forwarding
    the request to your forwarder rather than handling it locally.
    I came in to the world with nothing. I still have most of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •