Unable to illegal DNS record from pfsense (DNS-resolver corruption)
-
@johnpoz here is the result of etl files analysis.
-
@asadz so from that its saying that 89.36.170.207 sent you your server 192.168.3.6 that 100 answer for your query?
What is that address?
;; QUESTION SECTION: ;207.170.36.89.in-addr.arpa. IN PTR ;; ANSWER SECTION: 207.170.36.89.in-addr.arpa. 7200 IN PTR zoho-170-207.dub3.computerline.net.You forward your dns queries to them?
edit: that makes no sense that traffic is to 443..
How about a simple wireshark - so can actually see what is on the wire, and what is received on the wire vs some nonsense application trying to make it easier for you to read.. But that info shows us nothing.. Really - where is your client asking, did the dns forward anywhere?
Can really tell what that is - is that the server 3.7 asking what? Or is that the server answering a client - what IP was the client..
Do a simple wireshark for gosh sake.
-
@johnpoz no 89 is separate flow, from analysis of etl it means no traffic went outside the box.
-
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
t means no traffic went outside the box.
well answering a client would be outside the box.. you just had the server ask itself for that query?
But if no traffic went outside - then the server has a record for that.. You need to find out where.. Be it a cache or a actual record you setup..
-
@johnpoz its a production DC, i dnt want to install wireshark as it normally requires a reboot, plus the above etl analysis shows zero bytes was exchanged for this IP, so it remain passive, no for entry i need to do some forensic to see where this IP is
-
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
wireshark as it normally requires a reboo
nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.
-
@johnpoz
6.8 is my IP i get after connecting to VPN. The reboot is for npcap driver in case of wireshark. Anyhow, here is the debug logs from the link you shared. I can't make much of it. Seems its resolving requests on its own.18.12.2022 20:24:02 1774 PACKET 000002A1016A7D50 UDP Rcv 192.168.6.8 0006 Q [0001 D NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP question info at 000002A1016A7D50 Socket = 868 Remote addr 192.168.6.8, port 61364 Time Query=171623, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0028 (40) Message: XID 0x0006 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: empty 18.12.2022 20:24:02 1774 PACKET 000002A1007E2960 UDP Snd 192.168.3.7 a4c2 Q [0001 D NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP question info at 000002A1007E2960 Socket = 13744 Remote addr 192.168.3.7, port 53 Time Query=0, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0033 (51) Message: XID 0xa4c2 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 1 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: Offset = 0x0028, RR count = 0 Name = (0) 18.12.2022 20:24:02 1774 PACKET 000002A10025D0B0 UDP Rcv 192.168.3.7 a4c2 R Q [8081 DR NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP response info at 000002A10025D0B0 Socket = 13744 Remote addr 192.168.3.7, port 53 Time Query=171623, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0043 (67) Message: XID 0xa4c2 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 1 NSCOUNT 0 ARCOUNT 1 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x0028, RR count = 0 Name = [C00C](2)sb(15)scorecardsearch(3)com(0) AUTHORITY SECTION: empty ADDITIONAL SECTION: Offset = 0x0038, RR count = 0 Name = (0) 18.12.2022 20:24:02 1774 PACKET 000002A1016A7D50 UDP Snd 192.168.6.8 0006 R Q [8081 DR NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP response info at 000002A1016A7D50 Socket = 868 Remote addr 192.168.6.8, port 61364 Time Query=171623, Queued=171623, Expire=171626 Buf length = 0x0200 (512) Msg length = 0x0038 (56) Message: XID 0x0006 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 1 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x0028, RR count = 0 Name = [C00C](2)sb(15)scorecardsearch(3)com(0) AUTHORITY SECTION: empty ADDITIONAL SECTION: empty 18.12.2022 20:24:03 1774 PACKET 000002A100165910 UDP Rcv 192.168.6.8 0007 Q [0001 D NOERROR] AAAA (2)sb(15)scorecardsearch(3)com(0) UDP question info at 000002A100165910 Socket = 868 Remote addr 192.168.6.8, port 61365 Time Query=171624, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0028 (40) Message: XID 0x0007 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE AAAA (28) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: empty 18.12.2022 20:24:03 1774 PACKET 000002A100165910 UDP Snd 192.168.6.8 0007 R Q [8081 DR NOERROR] AAAA (2)sb(15)scorecardsearch(3)com(0) UDP response info at 000002A100165910 Socket = 868 Remote addr 192.168.6.8, port 61365 Time Query=171624, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x005f (95) Message: XID 0x0007 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 1 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE AAAA (28) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: Offset = 0x0028, RR count = 0 Name = [C00F](15)scorecardsearch(3)com(0) ADDITIONAL SECTION: empty -
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
wireshark as it normally requires a reboo
nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.
I found interesting thing , when i parsed log using
https://github.com/AleksandrReznik/DNSdebugLogParserfor correctly resolved local domains I get ldap as
Name = (5)_ldap(4)_tcp(6)VM-DC2(10)dummy(5)local(0)where as for scorecardsearch it is
```
Name = (2)sb(15)scorecardsearch(3)com(0)it doesn't include the _ldap, meaning it doesn't look at local directory ldap for -
@johnpoz also the ANSWER SECTION is empty, which is very strange.
-
This post is deleted! -
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
wireshark as it normally requires a reboo
nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.
Also in logs i found
18.12.2022 18:07:03 13F4 PACKET 000002A17EC0D4E0 UDP Rcv 192.168.3.6 0002 Q [0001 D NOERROR] A (2)sb(15)scorecardsearch(3)com(10)mydomain(5)local(0)why it would append the suffix for external hostnames, in log this append was not done for any external hostnames, perhaps it consider itself to be authoritative NS, when in reality it is not?
-
@asadz Problem solved it was sunnyvalley ngfw (integerated with pfsense) which was doing the blacklisting, the way it did was intriguing as it re-writing the socket the response with a different mac address. The pcap at client always showed A query response from DC, but actually it was coming from ngfw firewall which was injecting the response with backhole address.
-
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
with backhole address.
of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..
A simple wireshark would of seen right away that answer was coming from a different mac address, etc.
Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.
Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?
-
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
with backhole address.
of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..
A simple wireshark would of seen right away that answer was coming from a different mac address, etc.
Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.
Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?
Yes I share your concerns, this IP made it first appearance in var/log of pfsense of 14th same day we enabled new snort rules
The DNS reply logsDec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.3.6,100.2.3.4,USDNS-reply,Dec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.4.9,100.2.3.4,USDNS-reply
Suggest sunnyvalley providing black hole response. I still think black hole address should be private to be safe and esp should not resolve or routable to www.
Also the MAC address lookup shows 0050560B0310 -> 00005E000101
One is register with VMware other is IANA. Most probably sunnyvalley cloud app is running over VMware.
