[Dshield] DNS blackholes

Pete Cap peteoutside at yahoo.com
Mon Dec 12 13:52:38 GMT 2005


I think I need to be more clear here.

One of our clients wants to deny access to a domain (badguys.org).  I am not the one running the DNS server, or doing ANY administration of their network.  I'm doing after-the-fact intrusion analysis and this came up.

Examination of firewall logs showed some hosts behind the firewall requesting PTR records for dns.badguys.org, a domain which is supposed to be blackholed due to previous attacks, spam, and what-have-you.  The requests, however, were being directed to dns.meanpeople.net (I guess some of you thought "otherbadguys" was supposed to be a subdomain or something, sorry).  The firewall is reporting that these lookups were successful, so I'm thinking that the steps the local admins took in order to prevent access to badguys.org were ineffective--it ignored WHAT resource was being looked up, apparently only paying attention to WHERE it was looked up.

So, based on your knowledge of DNS, is this plausible?  I understand that once they had the IP for dns.badguys.org, they could do any lookups they wanted there.


Yahoo! Shopping
 Find Great Deals on Holiday Gifts at Yahoo! Shopping 

More information about the list mailing list