[Dshield] DNS blackholes

Brian Dessent brian at dessent.net
Sun Dec 11 18:09:00 GMT 2005


Pete Cap wrote:

>  I had a technical question I hoped someone here could answer.
> 
>  If you have badguys.org blackholed (say, redirected to 127.0.0.1), and someone on your network sends out a query for that IP, then the DNS server will return 127.0.0.1, right?
> 
>  Is it still possible for an individual host to send out a request to a specific server (say, dns.otherbadguys.net) for badguys.org, thus bypassing the blackhole?  That is, you're ignoring the local DNS server.

I don't think you understand how DNS works.  Just adding a line to your
"hosts" file does not "blackhole" anything.  It only affects name lookup
of the domain name, it does nothing to block any traffic at the layer of
TCP or IP.

Access will not be blocked for applications that connect directly by IP
address without trying to resolve the name, or that use their own DNS
resolver instead of the system's.  For most applications though, it is
sufficient as a quick and dirty way to block access since most
applications use the system-provided resolver.  However, using DNS to
block access is by no means reliable or secure, simply convenient.  For
that you would have to use a real firewall that actively blocks packets
at the IP level, and/or one that actively monitors DNS protocol traffic
to prevent the application from using its own resolver to look up the
host name.

Brian


More information about the list mailing list