Verify the impact of DNS hijacking on RBL-Linux Enterprise Application-Linux server application information. Verify the impact of DNS hijacking on RBL
Some time ago, the RBL of the barracuda firewall was abnormal. It regarded all IP addresses (except IP addresses in the whitelist) as blacklisted. We used sbl.spamhaus.org and xbl.spamhaus.org. Initially it was suspected that there was a problem with its service. Later, it happened that the DNS Root Domain Server was under attack and thought it was the impact of the root domain server. Therefore, the rbl function was temporarily disabled. However, we recently found that the amount of spam has increased. After contacting the barracuda after-sales engineer, we will tell you that this is the cause of dns hijacking. The problem is resolved after the DNS is replaced with an unhijacked DNS. Since I have never fully understood the working principle of rbl, I am determined to find out how it affects the performance.
1. RBL Working principle: According to the http://www.anti-spam.org.cn/refe... ction = Show & ID = 1, rbl working steps are:
QUOTE:
If you want to determine whether an address 11.22.33.44 is blacklisted, software using the blacklist service will issue a DNS query to the blacklisted server (such as the cbl.anti-spam.org.cn), which is like this: check whether the record exists in 44.33.22.11.cbl.anti-spam.org.cn? If the address is blacklisted, the server returns an answer to the valid address. By convention, this address is 127.0.0.0/8, for example, 127.0.0.2 (this address is used because the address segment 127/8 is reserved for ring testing, except 127.0.0.1 for The Ring address, other addresses can be used for this purpose, for example, 127.0.0.3 .). If the domain name is not listed in the blacklist, a negative answer (NXDOMAIN) is returned for the query ).
There is a key problem (in red ):
1. Must the rbl query result be within 127.0.0.0/8? What if a valid internet address is returned (when DNS hijacking occurs )?
In addition, several questions need to be clarified:
2. When will dns hijacking occur in China Telecom?
3. What is the target IP address of the hijacking? Who is the owner of the IP address?
Ii. Resource requirements
First, you need the following resources:
Suspected hijacked dns ip Address: 202.96.209.6
Dns ip address not hijacked: 202.96.199.20.
IP address in RBL of xbl.spamhaus.org or sbl.spamhaus.org: 61.83.209.40
IP addresses not in The RBL of xbl.spamhaus.org or sbl.spamhaus.org: 219.239.89.18, 211.150.96.22
Resolution of normal domain names: www.163.com
Iii. Comparison and verification: Because nslookup in windows is not easy to use, you can use commands such as dig and host on linux Hosts for query.
1. perform an RBL query on the IP address in RBL on the DNS not hijacked. Normally, the address in 127.0.0.0/8 should be returned:
; Answer section:
40.209.83.61.xbl.spamhaus.org. 1758 in a 127.0.0.4
.............................. # Omitted partial output
; Query time: 10 msec
; SERVER: 202.96.199.20.# 53 (202.96.199.20)
; WHEN: Wed Feb 28 11:42:34 2007
; Msg size rcvd: 466
The returned value is normal.
2. Perform RBL queries on IP addresses not in RBL on DNS servers not hijacked. Normally, NXDOMAIN is returned;
[Root @ mailtest2 tmp] # host www.163.com
Www.163.com is an alias for www.cache.split.netease.com.
Www.cache.split.netease.com has address 220.181.31.184
Www.cache.split.netease.com has address 220.181.28.50
Www.cache.split.netease.com has address 220.181.28.51
Www.cache.split.netease.com has address 220.181.28.52
Www.cache.split.netease.com has address 220.181.28.53
Www.cache.split.netease.com has address 220.181.28.54
Www.cache.split.netease.com has address 220.181.31.182
Www.cache.split.netease.com has address 220.181.31.183
[Root @ mailtest2 tmp] # dig @ 202.96.199.20.www.163.com
.............................. # Omitted partial output
; Question section:
; Www.163.com. IN
; Answer section:
Www.163.com. 11544 in cname www.cache.split.netease.com.
Www.cache.split.netease.com. 296 in a 220.181.28.50
Www.cache.split.netease.com. 296 in a 220.181.28.51
Www.cache.split.netease.com. 296 in a 220.181.28.52
Www.cache.split.netease.com. 296 in a 220.181.28.53
Www.cache.split.netease.com. 296 in a 220.181.28.54
Www.cache.split.netease.com. 296 in a 220.181.31.182
Www.cache.split.netease.com. 296 in a 220.181.31.183
Www.cache.split.netease.com. 296 in a 220.181.31.184
.............................. # Omitted partial output
; Query time: 6 msec
; SERVER: 202.96.199.20.# 53 (202.96.199.20)
; WHEN: Wed Feb 28 11:58:23 2007
; Msg size rcvd: 127
The returned value is normal.
4. perform an RBL query on the IP address in RBL on the suspected DNS. Normally, the address in 127.0.0.0/8 should be returned:
[/Quote]
[Root @ mailtest2 tmp] # cat/etc/resolv. conf
Nameserver 202.96.209.6
[Root @ mailtest2 tmp] # host 40.209.83.61.xbl.spamhaus.org
40.209.83.61.xbl.spamhaus.org has address 127.0.0.4
[Root @ mailtest2 tmp] # dig @ 202.96.209.6 40.209.83.61.xbl.spamhaus.org
.............................. # Omitted partial output
; Question section:
; 40.209.83.61.xbl.spamhaus.org. IN
; Answer section:
40.209.83.61.xbl.spamhaus.org. 839 in a 127.0.0.4
.............................. # Omitted partial output
; Query time: 7 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Wed Feb 28 13:35:13 2007
; Msg size rcvd: 466
[/Quote]
Returns normal.
5. Perform RBL queries on IP addresses not in RBL on the DNS suspected to be hijacked. Under normal circumstances, NXDOMAIN should be returned; the focus is on this location.
; Question section:
; 22.96.150.211.xbl.spamhaus.org. IN
; Answer section:
22.96.150.211.xbl.spamhaus.org. 1800 in a 218.83.175.154
; Query time: 831 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Wed Feb 28 14:16:24 2007
; Msg size rcvd: 64
Strange. How can I resolve a normal IP address? Enter this IP address in the IE Address Bar and open the webpage:
In addition, opening another window will open again, and the page will change again!
6. Resolve a normal domain name on the suspected DNS:
; Answer section:
Www.163.com. 11544 in cname www.cache.split.netease.com.
Www.cache.split.netease.com. 296 in a 220.181.28.50
Www.cache.split.netease.com. 296 in a 220.181.28.51
Www.cache.split.netease.com. 296 in a 220.181.28.52
Www.cache.split.netease.com. 296 in a 220.181.28.53
Www.cache.split.netease.com. 296 in a 220.181.28.54
Www.cache.split.netease.com. 296 in a 220.181.31.182
Www.cache.split.netease.com. 296 in a 220.181.31.183
Www.cache.split.netease.com. 296 in a 220.181.31.184
; Authority section:
Split.netease.com. 1196 in ns ns-split1.netease.com.
Split.netease.com. 1196 in ns ns-split2.netease.com.
; Additional section:
Ns-split1.netease.com 6260 in a 202.106.168.79
Ns-split2.netease.com. 5748 in a 220.181.28.4
; Query time: 6 msec
; SERVER: 202.96.209.6 #53 (202.96.209.6)
; WHEN: Fri Mar 2 10:17:55 2007
; Msg size rcvd: 275
Resolution is normal. Does this DNS hijack all domain names that cannot be resolved to 218.83.175.154? Verify the following:
7. Resolve a forged domain name on the suspected DNS:
Person: Wu Xiao Li
Address: Room 805,61 North Si Chuan Road, Shanghai, 200085, PRC
Country: CN
Phone: + 86-21-63630562
Fax-no: + 86-21-63630566
E-mail: ip-admin@mail.online.sh.cn
Nic-hdl: XI5-AP
Mnt-by: MAINT-CHINANET-SH
Changed: ip-admin@mail.online.sh.cn 20010510
Source: APNIC
The IP address belongs to China Telecom. Obviously, the redirected webpage also belongs to China Telecom ............
Iv. Summary:
We can draw a conclusion: the hateful Telecom has set a rule on some of its DNS: The 218.83.175.154 IP address is returned for all domain names that cannot be resolved.
5. How does DNS hijacking affect RBL?
Obviously, all domain names that cannot be resolved have returned values. Although it is not the 127.0.0.0/8 network segment, my barracuda apparently ignores the content, so naturally all the IP addresses are blacklisted (because they have not been received (NXDOMAIN ))!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
