[Dshield] DNS blackholes

Frank Knobbe frank at knobbe.us
Sun Dec 11 18:36:25 GMT 2005


On Fri, 2005-12-09 at 16:17 -0800, Pete Cap wrote:
>  The local DNS servers ARE the ones making the query.  But they are
> looking up a blackholed resource at another area.

It could be that your DNS server with the black-hole list is trying to
resolve the black-holed server. It depends on how your server and the
black-hole list is configured. It might be prefetching results from the
authoritative server of the blocked domain because the TTL for that
record is about to expire.

I would strongly suggest that you run a DNS black-hole on a *caching
server only*. Don't run it on a server that is a cache as well as a
normal zone-serving server.
 
>  I am piecing this together from firewall logs but it appears as
> though a host on the network is asking the DNS server to look up a
> forbidden resource, X, at someone ELSE's DNS server, Y, rather than
> return the locally cached answer (which is 127.0.0.1) and return the
> IP address so traffic may commence.

But then you would see the requests coming from that workstation, not
your DNS servers. And the direct requests from workstations can be
blocked on the firewall. Workstations should be forced to query the
cache which in turn will query the Internet. If the cache tries to
resolve records for black-holed domains, check if those queries are of
the *same type*. You might have a black-hole entry for A records when
clients are requesting MX records.

The way I built black-holes in the past is to utilize DJB dnscache and
configured it so that the black-holed domain is supposed to be served by
host 127.0.0.53. So the cache will forward ANY requests for that domain
and subdomains to 127.0.0.53, which in turn will NOT return any results.
So the cache doesn't return 127.0.0.1 to the user as result for any
lookups, the cache tries to resolve the queries at a non-existent
address, and eventually returns a NXDOMAIN to the client.

Your setup may differ of course. Make sure you are using the right
strategy when responding to client requests.

Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20051211/fc99e521/attachment.bin


More information about the list mailing list