[Dshield] DNS blackholes

Lockley, Stephen Stephen.Lockley at atosorigin.com
Mon Dec 12 15:30:49 GMT 2005


Good afternoon,

I maybe wrong here but you could configure DNS not to ask the
dns.badguys.org server by using the following within your DNS
configuration file :-
This should work for BIND 9.1.0 or later.

Server X.X.X.X {
	bogus yes;
};

Regards

Stephen  

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Pete Cap
Sent: 12 December 2005 13:53
To: General DShield Discussion List
Subject: Re: [Dshield] DNS blackholes

List,

I think I need to be more clear here.

One of our clients wants to deny access to a domain (badguys.org).  I am
not the one running the DNS server, or doing ANY administration of their
network.  I'm doing after-the-fact intrusion analysis and this came up.

Examination of firewall logs showed some hosts behind the firewall
requesting PTR records for dns.badguys.org, a domain which is supposed
to be blackholed due to previous attacks, spam, and what-have-you.  The
requests, however, were being directed to dns.meanpeople.net (I guess
some of you thought "otherbadguys" was supposed to be a subdomain or
something, sorry).  The firewall is reporting that these lookups were
successful, so I'm thinking that the steps the local admins took in
order to prevent access to badguys.org were ineffective--it ignored WHAT
resource was being looked up, apparently only paying attention to WHERE
it was looked up.

So, based on your knowledge of DNS, is this plausible?  I understand
that once they had the IP for dns.badguys.org, they could do any lookups
they wanted there.

Regards,
Pete


			
---------------------------------
Yahoo! Shopping
 Find Great Deals on Holiday Gifts at Yahoo! Shopping
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





__________________________________________________________________________
This e-mail and the documents attached are confidential and intended 
solely for the addressee; it may also be privileged. If you receive this 
e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos Origin group 
liability cannot be triggered for the message content. Although the 
sender endeavours to maintain a computer virus-free network, the sender 
does not warrant that this transmission is virus-free and will not be 
liable for any damages resulting from any virus transmitted.
__________________________________________________________________________



More information about the list mailing list