[Dshield] DNS blackholes

Pete Cap peteoutside at yahoo.com
Sat Dec 10 00:17:44 GMT 2005


Frank Knobbe <frank at knobbe.us> wrote: On Fri, 2005-12-09 at 14:07 -0800, Pete Cap wrote:
>  If you have badguys.org blackholed (say, redirected to 127.0.0.1),
> and someone on your network sends out a query for that IP, then the
> DNS server will return 127.0.0.1, right?
>  
>  Is it still possible for an individual host to send out a request to
> a specific server (say, dns.otherbadguys.net) for badguys.org, thus
> bypassing the blackhole?  That is, you're ignoring the local DNS
> server.

Of course. That's why your firewall should only allow outbound DNS
queries from your authorized internal/forwarding name servers.

... you do restrict outbound traffic on your firewall, right?

Cheers,
Frank
 The local DNS servers ARE the ones making the query.  But they are looking up a blackholed resource at another area.
 
 I am piecing this together from firewall logs but it appears as though a host on the network is asking the DNS server to look up a forbidden resource, X, at someone ELSE's DNS server, Y, rather than return the locally cached answer (which is 127.0.0.1) and return the IP address so traffic may commence.  I don't know enough about DNS to know if this is feasible.
 
 Thanks,
 
 Pete


			
---------------------------------
Yahoo! Shopping
 Find Great Deals on Holiday Gifts at Yahoo! Shopping 


More information about the list mailing list