Verify the impact of DNS hijacking on RBL

Source: Internet
Author: User
Tags barracuda firewall domain server nameserver nxdomain
Verify the impact of DNS hijacking on RBL-Linux Enterprise Application-Linux server application information. Verify the impact of DNS hijacking on RBL


Some time ago, the RBL of the barracuda firewall was abnormal. It regarded all IP addresses (except IP addresses in the whitelist) as blacklisted. We used sbl.spamhaus.org and xbl.spamhaus.org. Initially it was suspected that there was a problem with its service. Later, it happened that the DNS Root Domain Server was under attack and thought it was the impact of the root domain server. Therefore, the rbl function was temporarily disabled. However, we recently found that the amount of spam has increased. After contacting the barracuda after-sales engineer, we will tell you that this is the cause of dns hijacking. The problem is resolved after the DNS is replaced with an unhijacked DNS. Since I have never fully understood the working principle of rbl, I am determined to find out how it affects the performance.
1. RBL Working principle: According to the http://www.anti-spam.org.cn/refe... ction = Show & ID = 1, rbl working steps are:


QUOTE:
If you want to determine whether an address 11.22.33.44 is blacklisted, software using the blacklist service will issue a DNS query to the blacklisted server (such as the cbl.anti-spam.org.cn), which is like this: check whether the record exists in 44.33.22.11.cbl.anti-spam.org.cn? If the address is blacklisted, the server returns an answer to the valid address. By convention, this address is 127.0.0.0/8, for example, 127.0.0.2 (this address is used because the address segment 127/8 is reserved for ring testing, except 127.0.0.1 for The Ring address, other addresses can be used for this purpose, for example, 127.0.0.3 .). If the domain name is not listed in the blacklist, a negative answer (NXDOMAIN) is returned for the query ).
There is a key problem (in red ):
1. Must the rbl query result be within 127.0.0.0/8? What if a valid internet address is returned (when DNS hijacking occurs )?
In addition, several questions need to be clarified:
2. When will dns hijacking occur in China Telecom?
3. What is the target IP address of the hijacking? Who is the owner of the IP address?

Ii. Resource requirements
First, you need the following resources:
Suspected hijacked dns ip Address: 202.96.209.6
Dns ip address not hijacked: 202.96.199.20.
IP address in RBL of xbl.spamhaus.org or sbl.spamhaus.org: 61.83.209.40
IP addresses not in The RBL of xbl.spamhaus.org or sbl.spamhaus.org: 219.239.89.18, 211.150.96.22
Resolution of normal domain names: www.163.com

Iii. Comparison and verification: Because nslookup in windows is not easy to use, you can use commands such as dig and host on linux Hosts for query.
1. perform an RBL query on the IP address in RBL on the DNS not hijacked. Normally, the address in 127.0.0.0/8 should be returned:


QUOTE:
[Root @ mailtest2 tmp] # cat/etc/resolv. conf
Nameserver 202.96.199.20.

[Root @ mailtest2 tmp] # host 40.209.83.61.xbl.spamhaus.org
40.209.83.61.xbl.spamhaus.org has address 127.0.0.4

[Root @ mailtest2 tmp] # dig @ 202.96.199.20.40.209.83.61.xbl.spamhaus.org
.............................. # Omitted partial output
; Question section:
; 40.209.83.61.xbl.spamhaus.org. IN

; Answer section:
40.209.83.61.xbl.spamhaus.org. 1758 in a 127.0.0.4
.............................. # Omitted partial output
; Query time: 10 msec
; SERVER: 202.96.199.20.# 53 (202.96.199.20)
; WHEN: Wed Feb 28 11:42:34 2007
; Msg size rcvd: 466
The returned value is normal.
2. Perform RBL queries on IP addresses not in RBL on DNS servers not hijacked. Normally, NXDOMAIN is returned;


QUOTE:
[Root @ mailtest2 tmp] # cat/etc/resolv. conf
Nameserver 202.96.199.20.

[Root @ mailtest2 tmp] # host 18.89.239.219.xbl.spamhaus.org
Host 18.89.239.219.xbl.spamhaus.org not found: 3 (NXDOMAIN)
[Root @ mailtest2 tmp] # dig @ 202.96.199.20.18.89.239.219.xbl.spamhaus.org

; <> DiG 9.2.4rc6 <> @ 202.96.199.20.18.89.239.219.xbl.spamhaus.org
; Global options: printcmd
; Got answer:
;-> HEADER <-opcode: QUERY, status: NXDOMAIN, id: 48464
; Flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

; Question section:
; 18.89.239.219.xbl.spamhaus.org. IN

; Authority section:
Xbl.spamhaus.org. 878 in soa need. to. know. only. hostmaster.spamhaus.org. 2007022814 3600 600 432000

; Query time: 21 msec
; SERVER: 202.96.199.20.# 53 (202.96.199.20)
; WHEN: Wed Feb 28 11:53:36 2007
; Msg size rcvd: 112


[Root @ mailtest2 tmp] # host 22.96.150.211.xbl.spamhaus.org
Host 22.96.150.211.xbl.spamhaus.org not found: 3 (NXDOMAIN)
[Root @ mailtest2 tmp] # dig @ 202.96.199.20.22.96.150.211.xbl.spamhaus.org

; <> DiG 9.2.4rc6 <> @ 202.96.199.41022.96.150.211.xbl.spamhaus.org
; Global options: printcmd
; Got answer:
;-> HEADER <-opcode: QUERY, status: NXDOMAIN, id: 27365
; Flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

; Question section:
; 22.96.150.211.xbl.spamhaus.org. IN

; Authority section:
Xbl.spamhaus.org. 878 in soa need. to. know. only. hostmaster.spamhaus.org. 2007022823 3600 600 432000

; Query time: 39 msec
; SERVER: 202.96.199.20.# 53 (202.96.199.20)
; WHEN: Wed Feb 28 14:13:06 2007
; Msg size rcvd: 112
Returns normal.
3. on DNS not hijacked, resolve the normal Domain Name:


QUOTE:
[Root @ mailtest2 tmp] # cat/etc/resolv. conf
Nameserver 202.96.199.20.

[Root @ mailtest2 tmp] # host www.163.com
Www.163.com is an alias for www.cache.split.netease.com.
Www.cache.split.netease.com has address 220.181.31.184
Www.cache.split.netease.com has address 220.181.28.50
Www.cache.split.netease.com has address 220.181.28.51
Www.cache.split.netease.com has address 220.181.28.52
Www.cache.split.netease.com has address 220.181.28.53
Www.cache.split.netease.com has address 220.181.28.54
Www.cache.split.netease.com has address 220.181.31.182
Www.cache.split.netease.com has address 220.181.31.183
[Root @ mailtest2 tmp] # dig @ 202.96.199.20.www.163.com
.............................. # Omitted partial output
; Question section:
; Www.163.com. IN

; Answer section:
Www.163.com. 11544 in cname www.cache.split.netease.com.
Www.cache.split.netease.com. 296 in a 220.181.28.50
Www.cache.split.netease.com. 296 in a 220.181.28.51
Www.cache.split.netease.com. 296 in a 220.181.28.52
Www.cache.split.netease.com. 296 in a 220.181.28.53
Www.cache.split.netease.com. 296 in a 220.181.28.54
Www.cache.split.netease.com. 296 in a 220.181.31.182
Www.cache.split.netease.com. 296 in a 220.181.31.183
Www.cache.split.netease.com. 296 in a 220.181.31.184
.............................. # Omitted partial output

; Query time: 6 msec
; SERVER: 202.96.199.20.# 53 (202.96.199.20)
; WHEN: Wed Feb 28 11:58:23 2007
; Msg size rcvd: 127
The returned value is normal.
4. perform an RBL query on the IP address in RBL on the suspected DNS. Normally, the address in 127.0.0.0/8 should be returned:
[/Quote]
[Root @ mailtest2 tmp] # cat/etc/resolv. conf
Nameserver 202.96.209.6
[Root @ mailtest2 tmp] # host 40.209.83.61.xbl.spamhaus.org
40.209.83.61.xbl.spamhaus.org has address 127.0.0.4
[Root @ mailtest2 tmp] # dig @ 202.96.209.6 40.209.83.61.xbl.spamhaus.org
.............................. # Omitted partial output
; Question section:
; 40.209.83.61.xbl.spamhaus.org. IN

; Answer section:
40.209.83.61.xbl.spamhaus.org. 839 in a 127.0.0.4
.............................. # Omitted partial output

; Query time: 7 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Wed Feb 28 13:35:13 2007
; Msg size rcvd: 466
[/Quote]
Returns normal.
5. Perform RBL queries on IP addresses not in RBL on the DNS suspected to be hijacked. Under normal circumstances, NXDOMAIN should be returned; the focus is on this location.


QUOTE:
[Root @ mailtest2 tmp] # host 18.89.239.219.xbl.spamhaus.org
18.89.239.219.xbl.spamhaus.org has address 218.83.175.154
[Root @ mailtest2 tmp] # dig @ 202.96.209.6 18.89.239.219.xbl.spamhaus.org

; <> DiG 9.2.4rc6 <> @ 202.96.209.6 18.89.239.219.xbl.spamhaus.org
; Global options: printcmd
; Got answer:
;-> HEADER <-opcode: QUERY, status: NOERROR, id: 54440
; Flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

; Question section:
; 18.89.239.219.xbl.spamhaus.org. IN

; Answer section:
18.89.239.219.xbl.spamhaus.org. 1800 in a 218.83.175.154

; Query time: 539 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Wed Feb 28 14:14:43 2007
; Msg size rcvd: 64


[Root @ mailtest2 tmp] # host 22.96.150.211.xbl.spamhaus.org
22.96.150.211.xbl.spamhaus.org has address 218.83.175.154
[Root @ mailtest2 tmp] # dig @ 202.96.209.6 22.96.150.211.xbl.spamhaus.org

; <> DiG 9.2.4rc6 <> @ 202.96.209.6 22.96.150.211.xbl.spamhaus.org
; Global options: printcmd
; Got answer:
;-> HEADER <-opcode: QUERY, status: NOERROR, id: 21397
; Flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

; Question section:
; 22.96.150.211.xbl.spamhaus.org. IN

; Answer section:
22.96.150.211.xbl.spamhaus.org. 1800 in a 218.83.175.154

; Query time: 831 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Wed Feb 28 14:16:24 2007
; Msg size rcvd: 64
Strange. How can I resolve a normal IP address? Enter this IP address in the IE Address Bar and open the webpage:





In addition, opening another window will open again, and the page will change again!






6. Resolve a normal domain name on the suspected DNS:


QUOTE:
[Root @ mailtest2 tmp] # dig www.163.com

; <> DiG 9.2.4rc6 <> www.163.com
; Global options: printcmd
; Got answer:
;-> HEADER <-opcode: QUERY, status: NOERROR, id: 28059
; Flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 2, ADDITIONAL: 2

; Question section:
; Www.163.com. IN

; Answer section:
Www.163.com. 11544 in cname www.cache.split.netease.com.
Www.cache.split.netease.com. 296 in a 220.181.28.50
Www.cache.split.netease.com. 296 in a 220.181.28.51
Www.cache.split.netease.com. 296 in a 220.181.28.52
Www.cache.split.netease.com. 296 in a 220.181.28.53
Www.cache.split.netease.com. 296 in a 220.181.28.54
Www.cache.split.netease.com. 296 in a 220.181.31.182
Www.cache.split.netease.com. 296 in a 220.181.31.183
Www.cache.split.netease.com. 296 in a 220.181.31.184

; Authority section:
Split.netease.com. 1196 in ns ns-split1.netease.com.
Split.netease.com. 1196 in ns ns-split2.netease.com.

; Additional section:
Ns-split1.netease.com 6260 in a 202.106.168.79
Ns-split2.netease.com. 5748 in a 220.181.28.4

; Query time: 6 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Fri Mar 2 10:17:55 2007
; Msg size rcvd: 275
Resolution is normal. Does this DNS hijack all domain names that cannot be resolved to 218.83.175.154? Verify the following:
7. Resolve a forged domain name on the suspected DNS:


QUOTE:
[Root @ mailtest2 tmp] # dig @ 202.96.209.6 false.163.com

; <> DiG 9.2.4rc6 <> @ 202.96.209.6 false.163.com
; Global options: printcmd
; Got answer:
;-> HEADER <-opcode: QUERY, status: NOERROR, id: 37904
; Flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

; Question section:
; False.163.com. IN

; Answer section:
False.163.com. 1800 in a 218.83.175.154

; Query time: 263 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Wed Feb 28 14:33:41 2007
; Msg size rcvd: 47
8. Who is the IP address 218.83.175.154?


QUOTE:
[Root @ mailtest2 tmp] # whois 218.83.175.154
[Querying whois.apnic.net]
[Whois.apnic.net]
% [Whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

Inetnum: 218.78.0.0-218.83.255.255
Netname: CHINANET-SH
Descr: CHINANET Shanghai province network
Descr: Data Communication Division
Descr: China Telecom
Country: CN
Admin-c: CH93-AP
Tech-c: XI5-AP
Mnt-by: APNIC-HM
Mnt-lower: MAINT-CHINANET-SH
Mnt-routes: MAINT-CHINANET-SH
Status: ALLOCATED PORTABLE
Changed: hm-changed@apnic.net 20060427
Source: APNIC

Person: Chinanet Hostmaster
Nic-hdl: CH93-AP
E-mail: anti-spam@ns.chinanet.cn.net
Address: No. 31, jingrong street, beijing
Address: 100032
Phone: + 86-10-58501724
Fax-no: + 86-10-58501724
Country: CN
Changed: lqing@chinatelecom.com.cn 20051212
Mnt-by: MAINT-CHINANET
Source: APNIC

Person: Wu Xiao Li
Address: Room 805,61 North Si Chuan Road, Shanghai, 200085, PRC
Country: CN
Phone: + 86-21-63630562
Fax-no: + 86-21-63630566
E-mail: ip-admin@mail.online.sh.cn
Nic-hdl: XI5-AP
Mnt-by: MAINT-CHINANET-SH
Changed: ip-admin@mail.online.sh.cn 20010510
Source: APNIC
The IP address belongs to China Telecom. Obviously, the redirected webpage also belongs to China Telecom ............

Iv. Summary:
We can draw a conclusion: the hateful Telecom has set a rule on some of its DNS: The 218.83.175.154 IP address is returned for all domain names that cannot be resolved.
5. How does DNS hijacking affect RBL?
Obviously, all domain names that cannot be resolved have returned values. Although it is not the 127.0.0.0/8 network segment, my barracuda apparently ignores the content, so naturally all the IP addresses are blacklisted (because they have not been received (NXDOMAIN ))!
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.