Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?
-
This post is deleted! -
@code4food23 @bmeeks disregard the comment about 10.10.10.1. Just realized the the DNSBL webserver virtual IP.
Nevertheless could you or someone please shed some light on the above PTR records being resolved to scanner-xyz domains
-
I see al kind of resolving in my DNS system.
Especially my Mailserver is resolving weird names.Whenever a "remote" is opening a connection to the server ( being a legal mail , spammer or scanner) the Mailserver tries to be nice , and reverse resolve the ip to the DNS name , for better log visibility.
That is in this case not dangerous , just informative.
/Bingo
If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
Isn't the default configuration of unbound (at least in pfSense) set for a caching server? Basically clients get configured to talk to Unbound on the firewall as the DNS resolver, unbound goes out to the "internet" to satsify the request. I believe the default DHCP server config on pfSense hands out itself for the DNS server.
If so, and you are handing out DHCP from pfSense, anything that got a DHCP lease from your pfSense box could have made those requests and unbound is simply caching them.
Do you have iOT things on your network, like Ring doorbells, Nest thermostats, etc? It is possible something like that is making the request.
A packet capture is about the only way to figure it out, but you need to look at a lot of packets and the data inside them.
Maybe doing a whois on one or two of the names will shed information.
-
@mer said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
and unbound is simply caching them.
When this option is set :
unbound will not prune the cache any more after TTL : it will refresh the content. So, ones a domain gets asked ones, it will stay there for future usage, as the TTL never reaches zero.
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Nevertheless could you or someone please shed some light on the above
It's easy to check what happens, and who does what.
You have a console port on your pfSense, use it.
If not, you have to use the SSH access - and keep the PC on which the SSH cients runs, connected to your LAN.
Now it comes : remove ALL other devices. No exception.DNS - unbound log traces will come to a complete halt, if you were using the console access, and nothing connected to your LAN's.
Unbound DNS traffic logs will only mention the what your PC is doing - if you have this one connected to your LAN if you were using the SSH client.Now, add one by one LAN based devices. DNS traffic accelerates.
Another side effect is the usage of CNAME DNS requests. Ubound (pfBlockerNG) will fetch them, and then fetch all of the possible domains the CNAME points to. because, if a device fetches a CNAME, it will also pick one domain and use it. By that time, pfBlockerNG is ready to block it.
This creates some sort of snow ball effect.
@bingo600 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:the Mailserver tries to be nice , and reverse resolve the ip to the DNS name , for better log visibility.
Be nice ?
Mine reverse the PTR the IP of the sender, and if he isn't who he says he is during HELO phase, he drops the line.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@gertjan said in [Can someone help me understand why is unbound resolving foreign domains
Be nice ?
Mine reverse the PTR the IP of the sender, and if he isn't who he says he is during HELO phase, he drops the line.You would not be able to receive mail from me.
I have a "fixed ip" , but no control over my IP reverse pointer (ISP won't play) , as i'm part of a pool.My mail server name is not set to be my reverse pointer name (yet).
I have a setting , where i drop if i can't resolve the reverse ip at all./Bingo
-
@gertjan said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
unbound will not prune the cache any more after TTL : it will refresh the content
Not really how it works.. With prefetch set - if something asks for that and the ttl is close to expiring it will prefetch it before it expires which will up the ttl back to full. Its not like unbound is asking for everything in its cache that reaches X% of the original ttl.
prefetch: <yes or no> If yes, message cache elements are prefetched before they expire to keep the cache up to date. Default is no. Turning it on gives about 10 percent more traffic and load on the machine, but popular items do not expire from the cache.Notice "popular items do not expire.. But if you ask for something.tld, and then never ask for it again - it will expire.
# perform prefetching of close to expired message cache entries. If a client # requests the dns lookup and the TTL of the cached hostname is going to # expire in less than 10% of its TTL, unbound will (1st) return the ip of the # host to the client and (2nd) pre-fetch the dns request from the remote dns # server. This method has been shown to increase the amount of cached hits by # local clients by 10% on average.This is more useful in increasing your cache hit, and can show performance increase if you have something that takes a bit to resolve for whatever reason, because vs letting something expire that is asked for, and then having to resolve it. Once something gets close to expiring - it looks it up in the background - so that next time someone asks its still cached.
serve 0 ttl also very useful, since even if something has expired - it can still get served before looking it up. Since it returns the last entry and then looks it up so if changed, it will have new value next time asked for.
Min ttl also handy - when you have stuff that has really low ttl in reducing number of times something has to be resolved. If something has ttl of 60, vs having to resolve that all the time you can set a min ttl of say 3600.. Now that will only be resolved every hour, even if something asking for it every 5 minutes.
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
@gertjan said : unbound will not prune the cache any more after TTL : it will refresh the content
I'll (should have) add two words :
unbound will not prune the cache any more after TTL reaches zero : it will refresh the content
.@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
and then never ask for it again - it will expire.
Then that was me misunderstanding.
unbound maintains a "popular" indicator ?! (I just earned a visit to the source code repository to find out ;))
I understood that, for any TTL reaching zero, and prefetch is active, it will refresh.
This implies an that cache will steadily grow over time. Humm, that's good and very bad.
Thanks for the info.edit : for @code4food23 : What I meant to say was : ones you connected your device with "'foreign origins" to your network, you will introduce traffic related these origins in your network. even if you remove them, some related traffic still persists.
@johnpoz makes it clear that this traffic will fade out over time.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@mer said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Basically clients get configured to talk to Unbound on the firewall as the DNS resolver, unbound goes out to the "internet" to satsify the request.
Would unbound also try to satisfy requests made by services like pfblocker and suricata? Idk about those scanner-* domains but i saw i have a dnsbl for abuse ch and oisd nl.
@mer said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Do you have iOT things on your network, like Ring doorbells, Nest thermostats, etc? It is possible something like that is making the request.
I do have two ring cameras. I think i ruled the rasberry pi and tv because I disconnected those and still kept seeing unbound resolve these odd domains.
Could this be a sign that they are compromised?
-
@gertjan said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
you will introduce traffic related these origins in your network
Exactly -- if you ask for www.domain.tld, when you resolve there is going to be stuff that will trigger of that isn't exactly what you asked for. It will have to query roots for tld, it will have to query the gtld servers for ns of domain.tld, it will have to query the ns for domain.tld, it will query the ns of domain.tld for www.domain.tld
It will also have to look up any cnames that stuff might point to, etc.
unbound isn't going to just willy nilly resolve stuff - something had to ask it to resolve X.. once it is asked to resolve something - it will look up other stuff related to looking up X..
That something could be a client, it could be a package running on pfsense, it could be pfsense itself - if you click the little resolve button in your firewall log it will look for the PTR of that IP, it will resolve stuff to look for its update and packages, etc.
But if unbound looked up something - it was asked to do so by something.
edit: nameservers - man you have no idea how many domains it might be the ns for.. could be 10s of thousands of domains.. With millions of total records. The name of some nameserver doesn't have to be ns.domain.tld either.. I could have my ns be called yourfdnow.spyware.net hehe - prob cause some issues we lots of people asking questions and blocking it - but as long as have the ability to put records in spyware.net I could have my ns name be a record in that domain..
When looking up ptr - where those resolve is up to the actual owner of the ip space, unless they have delegated it to someone using their IP space.. You could have some IP used in DE be resolved by NS in china for example - if company in de is using IP owned or use to be owned by china company. Could be business in the US, using IPs from their parent company routed to US with PTR still pointing back to china to resolve..
Quite often when IP space is sold, they forget to update some of these records, etc. Or doesn't get updated until long after when they finally figure out something is not working correctly.
I get abuse letters from IPs I manage with arin - because the guys in the datacenter would assign some ip space to customer, and not let me know - so never delegated that space to them, or work with their IT to get the space being delegated to resolve via their NS for ptrs, etc.
-
@gertjan @johnpoz thanks alot youāll for the informative discussion. Definitely learned this morning.
@gertjan said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
even if you remove them, some related traffic still persists.
So is there not a way to remove this type of traffic? Or by āthemā did you mean if i were to remove the clients?
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
That something could be a client, it could be a package running on pfsense, it could be pfsense itself - if you click the little resolve button in your firewall log it will look for the PTR of that IP, it will resolve stuff to look for its update and packages, etc.
So for example i have dns block lists with tld of .ch and .nl (abuse.ch and oisd.nl). So pfblocker or suricata could also be generating this traffic?
But actually i never though of that which you mentioned about it being pfsense. I actually have clicked on the resolve ip before on the firewall logs. So am I correct in saying that this is what most likely the cause for unbound resolving those ptr records to those scanner-* domains? This is what got me really worried in the first since i had seen blocks to those domain in my firewall logs.
Also to make sure I understand the discussion above. Essentially, unbound will keep refreshing these even if i didnt specifically told to resolve those at the instant i saw those in my logs. Which is why i see them being requested, right?
Furthermore, this wouldnāt be a sign of compromise then, would it?
-
@gertjan said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
You have a console port on your pfSense, use it.
If not, you have to use the SSH access - and keep the PC on which the SSH cients runs, connected to your LAN.
Now it comes : remove ALL other devices. No exception.Thanks for this suggestion, will definitely try. The intention was originally this when I disconnected my tv and Pi and only clients i had aside from AP, were one ringdoorbell and Mac connected to LAN on the unifi switch.
-
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
This is what got me really worried in the first since i had seen blocks to those domain in my firewall logs.
Not blocks too. If you click resolve in IP in your firewall logs - that is the PTR of that IP - they scanned you, and it was blocked. Doesn't mean anything on your network tried to go there..
China does a lot of scanning - so yeah your going to see all kinds of IPs from china in your firewall log. If you try resolve those IPs - then most likely NS in china that resolves that space.. Doesn't mean anything on your network tried to go to some domain/ip in china..
edit: example
This IP which is RU ip - tried to scan me, now it doesn't resolve - but prob points to some NS in Russia, etc. So very well if looked in my query log even if doesn't resolve prob did some lookup for Russian name server when I clicked the little resolve button on the firewall log.
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Not blocks too. If you click resolve in IP in your firewall logs - that is the PTR of that IP - they scanned you, and it was blocked.
Thank you for the clear example. And Yes, sorry I meant to say I have indeed clicked on the resolve IP and just as shown in your image ive seen scanner domains and ācannot resolveā.
Would unbound continually resolve those later on? For example, the domains in the first image occurred throughout the day yesterday when i looked at the log.
Also, is there a button to manually prune the cache like in pihole? I didnāt find the option looking yesterday.
-
For example, upon checking my logs again, I am seeing the same activity, I have disconnected my AP where my ring device is connected to and and now the only client connected is my computer aside from the unifi switch which is where I have my latop connected to.
Also thing to note is that this activity was happening overnight as well, when the only thing connected was my Ring device.
So is this the case of unbound having cached these?
-
@code4food23 why are you blocking out the source of the query? If that was some local IP of yours - then you know what is triggering them. There is little reason to hide rfc1918 space.
Another example as already mentioned lists being pulled by a package. keep in mind that say I download a list from special.listdomain.com - as went over already looking up that record could trigger lots of other queries. For example what is the NS of listdomain.com? For all we know you have something updating that domain of what that is NS is bta.net.cn?
What packages do you have installed, what are they pulling data from.. Do you have anything set to do lookups. ntop can for example be set to query for IPs it sees.. pfblocker using lists from all over or pfblocker depending on how you have it setup could be resolving domains.. A list using whois regex could resolve domains to IPs, etc.
is there a button to manually prune the cache like in pihole
You can purge specific entries/domains using
unbound-control -c /var/unbound/unbound.conf
and the appropriate command
flush_type <name> <type> flush name, type from cache flush_zone <name> flush everything at or under name from rr and dnssec caches flush_bogus flush all bogus data flush_negative flush all negative data flush_stats flush statistics, make zero flush_requestlist drop queries that are worked on flush_infra [all | ip] remove ping, edns for one IP or allI only use pfblocker to pull geoip and a few other IP based lists.. So I am not really up to speed on all the ins and outs of when, how - why and what it mightr do related to dns queries.. We prob need @BBcan177 to chime in here on what specifically could be causing those queries to happen..
BTW - where exactly are you pulling that info from.. where is shows your geoip there as CN.. I don't recall seeing such a screen/log in pfblocker?
ah -- I found this for example... So clearly pfblocker is kicking of resolving of stuff.. My lists are only IP based.. But when it allowed something it resolved it.. or tried. So your deny list if your blocking CN could be doing the same thing, etc..
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
why are you blocking out the source of the query? If that was some local IP of yours - then you know what is triggering them. There is little reason to hide rfc1918 space.
The Ips were all 127.0.0.1, I just wasn't sure whether the okay show the hostname that appears below that which to my understanding is that of the pfsense (something like: my_name_domain.home.arpa)
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
For all we know you have something updating that domain of what that is NS is bta.net.cn?
What could be the reason for this if this is the case? I have the below packages installed:
Note i have unchecked the setting in ntpong to enable it. Should probably remove it anyway.
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
BTW - where exactly are you pulling that info from.. where is shows your geoip there as CN.. I don't recall seeing such a screen/log in pfblocker?
ah -- I found this for example... So clearly pfblocker is kicking of resolving of stuff.. My lists are only IP based.. But when it allowed something it resolved it.. or tried. So your deny list if your blocking CN could be doing the same thing, etc..Oh so that is why i see those ips resolved in my pfblocker alerts. It has been done by pfblocker this whole time? And Turning this off, if possible, would stop this from showing up in my logs?
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
But when it allowed something it resolved it.. or tried. So your deny list if your blocking CN could be doing the same thing, etc..
My Permit list is empty, but yes like you said, the deny list is doing the exact same thing. I can't find an option to stop it from resolving those IPs. Any ideas?
-
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
I can't find an option to stop it from resolving those IPs. Any ideas?
Hmm? Not sure if you can.. @BBcan177 be the man to know for sure - and also have the ability to allow feature to turn off resolution in the logs?
I know there is global setting for logging. And there is logging you can turn on or off for specific lists you create, etc.
I use only a fraction of what pfblocker can really do myself. I use it to maintain some aliases, and then use those aliases in my own rules.
I do have mine set to logging - maybe you could turn logging off and see if your odd queries go away. Either globally or on your specific lists.
