@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
with backhole address.
of 126.96.36.199 ? that is a HORRIBLE blackhole choice that is for sure..
A simple wireshark would of seen right away that answer was coming from a different mac address, etc.
Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.
Glad you found it.. but using a valid public IP, ie 188.8.131.52 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?
Yes I share your concerns, this IP made it first appearance in var/log of pfsense of 14th same day we enabled new snort rules
The DNS reply logs
Dec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.3.6,184.108.40.206,USDNS-reply,Dec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.4.9,220.127.116.11,USDNS-reply
Suggest sunnyvalley providing black hole response. I still think black hole address should be private to be safe and esp should not resolve or routable to www.
Also the MAC address lookup shows 0050560B0310 -> 00005E000101
One is register with VMware other is IANA. Most probably sunnyvalley cloud app is running over VMware.