Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qs Regarding DNS

From: "John R. Morris" <jrmorris () nerdality com>
Date: Wed, 29 Sep 2004 16:49:38 -0400
uus36 () hotpop com wrote:


Hi,

I wanna know all the address of a site for eg lets say
windowsupdate.microsoft.com

Now when i do nslookup dig or host i find 7-8 entries but that does not
assure me that these are ALL the sites.

What i wanna do is get all the ip's of a site n block them.

but via this method i am not sure that i have all the ips of site.
i checked few websites on which it gives me a subnet about that site but not specifically n ... i think those are specific to a region. 

Well ne one has some suggestion .. know some tool?

Thanx in Advance

-Joe
Well, since most DNS servers that service regular "anybody" Internet lookups for a domain are configured to not allow zone transfers, there is not an easy way to see all the records of a domain that I'm aware of. In fact disallowing zone transfers is done to prevent some hacker from finding out all your hosts without brute force (i.e., use your domain name to get NS, MX, etc and use those IPS to generate a range to do lookups on, collate results to form a picture of things).
Also, take into consideration the concept of views in DNS config in BIND (and other DNS servers as well have their own such things), with that I can specify multiple zone files for the same domain for different views, and among other criteria, sort who sees what view based on the query's originating IP (match-clients). Even by itself you could easily confuse or befuddle someone wishing to get a complete list to block your site (assuming you have multiple IPs to hand out for a given A record you didn't want easily blocked). And when you factor in using things like this plus all the packet mangling of iptables/netfilter, other network load balancing, virtual interfaces and so on, the fun can go on and on. Not to mention that you could *also* do things like have some of your views setup to lie. Or some of your A records bogus if you don't want to use views.
For example. Let's say I run a bad website. Evil. Truely. And I know folks are going to try and block access in a attempt to censor my vile evilness. I could throw in a good website's (like I don't know, Google or something) ips so that when you query www.blockme.net 1/12 of the time using views and so on you get one of google's ips. Now folks who want my evilness may be a bit put off or confused when they get google instead, but will probably just hit refresh or try again later. If a blocker gets the bait, and then puts google in their ACL, though... They aren't going to like that much. And if I had any more of an idea who is doing the blocking (like say they automated lookups to run every day against my domain to add me to their blacklist) I could analyze that and make sure they got bogus ips every time while legitimate users got the right ones. Imagine a blacklisting service to prevent Evilness(TM) that collects (say from google) a list of sites that are ranked high in evil content based on keywords, and then goes and dutifully collects the corresponding IPs. This will be a noticeable recurring logged event from my DNS server. Probably at roughly the same recurring time. Fortunately for the known universe, the bad guys are 99.999% stupid and lazy (the ones who aren't both usually succeed and retire to some island to enjoy their success, or grow up, or become stupid and/or lazy).
But the short and sweet way to block access to a domain name is to use DNS against itself. 
For a single host:
Under linux/unix & MacOS X:
edit /etc/hosts
add a:
127.0.0.1   www.blocked.net
line to it.

Under windows:
edit HOSTS in:
*Windows XP*    =       *C:\WINDOWS\SYSTEM32\DRIVERS\ETC*
*Windows 2K*    =       *C:\WINNT\SYSTEM32\DRIVERS\ETC*
*Win 98\ME*     =       *C:\WINDOWS*


Similiar syntax. Here's a webpage for reference:
http://www.mvps.org/winhelp2002/hosts.htm

For a whole network of hosts:
Build a caching (or multiple if you have a big network) DNS server, create a bogus zone for each domain you want to block, feed it to your local DNS clients (make sure they use your caching NS as a resolver).
Sure, someone can still use an IP to get whatever they wanted, or a program could use a hardcoded IP address. But if that was the case, most likely you'd only have one or two IP address that you could easily add to acl and block after monitoring traffic and discovering it per your favorite network traffic monitoring technique. 

FWIW - HTH,
John
Previous By Date Next
Previous By Thread Next

Current thread: