[DNSfirewalls] domaincontrol?

Paul Vixie paul at redbarn.org
Tue Aug 27 06:16:19 UTC 2013

today's spam brought the usual stuff, but it's sunday so i decided to
have a look. defanged:

h t t p ://sieuthithamsan.com/movie.htm hoxebyh qizul symu tex nyly kybi
funikuz fufysud

i checked my full service resolvers ("recursive nameservers") to see if
any of my RPZ providers caught it:

sieuthithamsan.com.     172056  IN      NS      ns29.domaincontrol.com.
sieuthithamsan.com.     172056  IN      NS      ns30.domaincontrol.com.

ns29.domaincontrol.com. 8075    IN      A
ns30.domaincontrol.com. 8075    IN      A

no RPZ for it yet. so i thought i'd find out if domaincontrol had any
non-junk domains that i might miss:

$ isc_dnsdb_query -l 1000000 -n \*.domaincontrol.com/ns >

paging through that million-name output file showed lots of junk and no

$ head /var/tmp/domaincontrol
naturesremedies.biz. IN NS 51.domaincontrol.com.
e-piphany.biz. IN NS ns.51.domaincontrol.com.
naturesremedies.biz. IN NS 52.domaincontrol.com.
intellecap.biz. IN NS n40.domaincontrol.com.
fapl.biz. IN NS ns1.domaincontrol.com.
nmts.biz. IN NS ns1.domaincontrol.com.
soobahkdo.biz. IN NS ns1.domaincontrol.com.
budsandbabes.biz. IN NS ns1.domaincontrol.com.
johnshandymanservice.biz. IN NS ns1.domaincontrol.com.
fapl.biz. IN NS ns2.domaincontrol.com.

looking at the surrounding /24 for each of the name servers ns29 and
ns30 showed lots more junk:

$ isc_dnsdb_query -i | head
ns3.igirona.biz. IN A
ns1.investcapitalmanagement.biz. IN A
b.ns.h3f.biz. IN A
ns1.jeweller.biz. IN A
ns1.angelofsoul.biz. IN A
ns4.ip0.biz. IN A
ns1.pennymart.biz. IN A
ns2.easy-travel.biz. IN A
larry.kevinkatovic.biz. IN A
ns1.ace.biz. IN A

$ isc_dnsdb_query -i | head
ns4.igirona.biz. IN A
a.ns.h3f.biz. IN A
ns2.investcapitalmanagement.biz. IN A
ns2.jeweller.biz. IN A
ns2.angelofsoul.biz. IN A
ns2.pennymart.biz. IN A
ns1.easy-travel.biz. IN A
calvin.kevinkatovic.biz. IN A
ns2.ace.biz. IN A
ns2.aez.biz. IN A

and what about the rest of the *.domaincontrol.com name servers -- are
they in the same IP block as the first two?

isc_dnsdb_query -r \*.domaincontrol.com/a | grep 'IN A' | head
domaincontrol.com. IN A
ns01.domaincontrol.com. IN A
ns02.domaincontrol.com. IN A
ns03.domaincontrol.com. IN A
ns04.domaincontrol.com. IN A
ns05.domaincontrol.com. IN A
ns06.domaincontrol.com. IN A
ns07.domaincontrol.com. IN A
ns08.domaincontrol.com. IN A
ns09.domaincontrol.com. IN A

so while i could have just RPZ'd the domain name that spammed me, that's
a throwaway name, the attacker won't miss it. and i could have RPZ'd the
name server names, it turns out this attacker has quite a few and they
aren't all in "*.domaincontrol.com". so i'm going to RPZ out all
nameservers in these two /24 blocks. in my private enterprise RPZ zone,
this looks as follows:

; domaincontrol       CNAME   .       ;        CNAME   .       ;

here's what it looks like on the wire:

; <<>> DiG 9.9.3-rpz2+rl.13204.02-P2 <<>> ans01.domaincontrol.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63374
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;ans01.domaincontrol.com.       IN      A

dns-policy.vix.com.     30      IN      SOA     nsa.vix.su.
hostmaster.vix.su. 67 3600 1800 604800 30

;; Query time: 1 msec
;; SERVER: 2001:559:8000:cb::2#53(2001:559:8000:cb::2)
;; WHEN: Tue Aug 27 06:13:44 UTC 2013
;; MSG SIZE  rcvd: 124

this won't stop the spam from arriving, but it will make sure nobody can
click on links inside such e-mail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20130826/dfc95447/attachment.htm>

More information about the DNSfirewalls mailing list