[DNSfirewalls] domaincontrol?

Paul Vixie paul at redbarn.org
Tue Aug 27 06:16:19 UTC 2013 

today's spam brought the usual stuff, but it's sunday so i decided to
have a look. defanged:

nizeteh
h t t p ://sieuthithamsan.com/movie.htm hoxebyh qizul symu tex nyly kybi
funikuz fufysud

i checked my full service resolvers ("recursive nameservers") to see if
any of my RPZ providers caught it:

;; AUTHORITY SECTION:
sieuthithamsan.com.     172056  IN      NS      ns29.domaincontrol.com.
sieuthithamsan.com.     172056  IN      NS      ns30.domaincontrol.com.

;; ADDITIONAL SECTION:
ns29.domaincontrol.com. 8075    IN      A       216.69.185.15
ns30.domaincontrol.com. 8075    IN      A       208.109.255.15

no RPZ for it yet. so i thought i'd find out if domaincontrol had any
non-junk domains that i might miss:

$ isc_dnsdb_query -l 1000000 -n \*.domaincontrol.com/ns >
/var/tmp/domaincontrol

paging through that million-name output file showed lots of junk and no
non-junk.

$ head /var/tmp/domaincontrol
naturesremedies.biz. IN NS 51.domaincontrol.com.
e-piphany.biz. IN NS ns.51.domaincontrol.com.
naturesremedies.biz. IN NS 52.domaincontrol.com.
intellecap.biz. IN NS n40.domaincontrol.com.
fapl.biz. IN NS ns1.domaincontrol.com.
nmts.biz. IN NS ns1.domaincontrol.com.
soobahkdo.biz. IN NS ns1.domaincontrol.com.
budsandbabes.biz. IN NS ns1.domaincontrol.com.
johnshandymanservice.biz. IN NS ns1.domaincontrol.com.
fapl.biz. IN NS ns2.domaincontrol.com.

looking at the surrounding /24 for each of the name servers ns29 and
ns30 showed lots more junk:

$ isc_dnsdb_query -i 216.69.185.0/24 | head
ns3.igirona.biz. IN A 216.69.185.1
ns1.investcapitalmanagement.biz. IN A 216.69.185.2
b.ns.h3f.biz. IN A 216.69.185.3
ns1.jeweller.biz. IN A 216.69.185.13
ns1.angelofsoul.biz. IN A 216.69.185.13
ns4.ip0.biz. IN A 216.69.185.15
ns1.pennymart.biz. IN A 216.69.185.21
ns2.easy-travel.biz. IN A 216.69.185.25
larry.kevinkatovic.biz. IN A 216.69.185.47
ns1.ace.biz. IN A 216.69.185.50

$ isc_dnsdb_query -i 208.109.255.0/24 | head
ns4.igirona.biz. IN A 208.109.255.1
a.ns.h3f.biz. IN A 208.109.255.2
ns2.investcapitalmanagement.biz. IN A 208.109.255.2
ns2.jeweller.biz. IN A 208.109.255.13
ns2.angelofsoul.biz. IN A 208.109.255.13
ns2.pennymart.biz. IN A 208.109.255.21
ns1.easy-travel.biz. IN A 208.109.255.25
calvin.kevinkatovic.biz. IN A 208.109.255.47
ns2.ace.biz. IN A 208.109.255.50
ns2.aez.biz. IN A 208.109.255.50

and what about the rest of the *.domaincontrol.com name servers -- are
they in the same IP block as the first two?

isc_dnsdb_query -r \*.domaincontrol.com/a | grep 'IN A' | head
domaincontrol.com. IN A 68.178.211.104
ns01.domaincontrol.com. IN A 216.69.185.1
ns02.domaincontrol.com. IN A 208.109.255.1
ns03.domaincontrol.com. IN A 216.69.185.2
ns04.domaincontrol.com. IN A 208.109.255.2
ns05.domaincontrol.com. IN A 216.69.185.3
ns06.domaincontrol.com. IN A 208.109.255.3
ns07.domaincontrol.com. IN A 216.69.185.4
ns08.domaincontrol.com. IN A 208.109.255.4
ns09.domaincontrol.com. IN A 216.69.185.5

so while i could have just RPZ'd the domain name that spammed me, that's
a throwaway name, the attacker won't miss it. and i could have RPZ'd the
name server names, it turns out this attacker has quite a few and they
aren't all in "*.domaincontrol.com". so i'm going to RPZ out all
nameservers in these two /24 blocks. in my private enterprise RPZ zone,
this looks as follows:

; domaincontrol
24.0.255.109.208.rpz-nsip       CNAME   .       ; 208.109.255.0/24
24.0.185.69.216.rpz-nsip        CNAME   .       ; 216.69.185.0/24

here's what it looks like on the wire:

; <<>> DiG 9.9.3-rpz2+rl.13204.02-P2 <<>> ans01.domaincontrol.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63374
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ans01.domaincontrol.com.       IN      A

;; AUTHORITY SECTION:
dns-policy.vix.com.     30      IN      SOA     nsa.vix.su.
hostmaster.vix.su. 67 3600 1800 604800 30

;; Query time: 1 msec
;; SERVER: 2001:559:8000:cb::2#53(2001:559:8000:cb::2)
;; WHEN: Tue Aug 27 06:13:44 UTC 2013
;; MSG SIZE  rcvd: 124

this won't stop the spam from arriving, but it will make sure nobody can
click on links inside such e-mail.

vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20130826/dfc95447/attachment.htm>

More information about the DNSfirewalls mailing list