[Dshield] DNS blackholes

David B. Bukowski davebb at weather.cod.edu
Mon Dec 12 15:22:17 GMT 2005


The client computer itself is doing the lookup?  One way this could have
been stopped is having the FW block all DNS !!EXCEPT!! from the actual DNS
servers themselves.  So have some sort of exception rule on the FW to
allow only dns1.friendly.org and dns2.friendly.org to access DNS
outside.  The rest should be denied.  this is firewall level.  Next I'd
say find someway to prevent the DNS server from accessing badguys.org
(i.e. make a root record to point to your dns server and there have it
return 127.0.0.1).  Is this an answer to your question a lil more?
-dave


On Mon, 12 Dec 2005, Pete Cap wrote:

List,

I think I need to be more clear here.

One of our clients wants to deny access to a domain (badguys.org).  I am not the one running the DNS server, or doing ANY administration of their network.  I'm doing after-the-fact intrusion analysis and this came up.

Examination of firewall logs showed some hosts behind the firewall requesting PTR records for dns.badguys.org, a domain which is supposed to be blackholed due to previous attacks, spam, and what-have-you.  The requests, however, were being directed to dns.meanpeople.net (I guess some of you thought "otherbadguys" was supposed to be a subdomain or something, sorry).  The firewall is reporting that these lookups were successful, so I'm thinking that the steps the local admins took in order to prevent access to badguys.org were ineffective--it ignored WHAT resource was being looked up, apparently only paying attention to WHERE it was looked up.

So, based on your knowledge of DNS, is this plausible?  I understand that once they had the IP for dns.badguys.org, they could do any lookups they wanted there.

Regards,
Pete


			
---------------------------------
Yahoo! Shopping
 Find Great Deals on Holiday Gifts at Yahoo! Shopping 
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



-------------------------------------------------------------------------------
David B. Bukowski	|email (work):		bukowski at cdnet.cod.edu
Network Analyst III	|email (personal):	davebb at cshschess.org
College of Dupage	|webpage: 	http://www.cshschess.org/davebb/	
Glen Ellyn, Illinois	|pager:			(708) 241-7655 
http://www.cod.edu/	|work phone:		(630) 942-2591
-------------------------------------------------------------------------------



More information about the list mailing list