[Dshield] DNS blackholes

Pete Cap peteoutside at yahoo.com
Sat Dec 10 00:17:44 GMT 2005

Frank Knobbe <frank at knobbe.us> wrote: On Fri, 2005-12-09 at 14:07 -0800, Pete Cap wrote:
>  If you have badguys.org blackholed (say, redirected to,
> and someone on your network sends out a query for that IP, then the
> DNS server will return, right?
>  Is it still possible for an individual host to send out a request to
> a specific server (say, dns.otherbadguys.net) for badguys.org, thus
> bypassing the blackhole?  That is, you're ignoring the local DNS
> server.

Of course. That's why your firewall should only allow outbound DNS
queries from your authorized internal/forwarding name servers.

... you do restrict outbound traffic on your firewall, right?

 The local DNS servers ARE the ones making the query.  But they are looking up a blackholed resource at another area.
 I am piecing this together from firewall logs but it appears as though a host on the network is asking the DNS server to look up a forbidden resource, X, at someone ELSE's DNS server, Y, rather than return the locally cached answer (which is and return the IP address so traffic may commence.  I don't know enough about DNS to know if this is feasible.

Yahoo! Shopping
 Find Great Deals on Holiday Gifts at Yahoo! Shopping 

More information about the list mailing list