[Dshield] DNS blackholes
peteoutside at yahoo.com
Sat Dec 10 00:17:44 GMT 2005
Frank Knobbe <frank at knobbe.us> wrote: On Fri, 2005-12-09 at 14:07 -0800, Pete Cap wrote:
> If you have badguys.org blackholed (say, redirected to 127.0.0.1),
> and someone on your network sends out a query for that IP, then the
> DNS server will return 127.0.0.1, right?
> Is it still possible for an individual host to send out a request to
> a specific server (say, dns.otherbadguys.net) for badguys.org, thus
> bypassing the blackhole? That is, you're ignoring the local DNS
Of course. That's why your firewall should only allow outbound DNS
queries from your authorized internal/forwarding name servers.
... you do restrict outbound traffic on your firewall, right?
The local DNS servers ARE the ones making the query. But they are looking up a blackholed resource at another area.
I am piecing this together from firewall logs but it appears as though a host on the network is asking the DNS server to look up a forbidden resource, X, at someone ELSE's DNS server, Y, rather than return the locally cached answer (which is 127.0.0.1) and return the IP address so traffic may commence. I don't know enough about DNS to know if this is feasible.
Find Great Deals on Holiday Gifts at Yahoo! Shopping
More information about the list