Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL Resolving Some Domains To 10.10.10.1 But Does Not Log Them

    Scheduled Pinned Locked Moved pfBlockerNG
    2 Posts 2 Posters 16 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dma_pf
      last edited by dma_pf

      DNSBL is blocking some domains but the events do not show up in the Alerts tab in pfblockerng-devel (v3.2.10). I ran a pcap on the client via pfsense (2.8.1-RELEASE) and loaded it into Wireshark. Here is a a snippet of the pcap:

      6b77fff9-b4b9-46f7-8bc1-fbd07e8b333f-pcap.png

      acac-8434ae288494-pcap-resized.png) image url)
      The first line is the actual dns request from the client trying to resolve dns.msftncsi.com. The actual query in the pcap was:

              dns.msftncsi.com: type A, class IN
            Name: dns.msftncsi.com
            [Name Length: 16]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001

      The second line was the answer to the query which was:

      Answers
            dns.msftncsi.com: type A, class IN, addr 10.10.10.1
                Name: dns.msftncsi.com
                Type: A (Host Address) (1)
                Class: IN (0x0001)
                Time to live: 3600 (1 hour)
                Data length: 4
                Address: mobile.events.data.microsoft.com (10.10.10.1)

      And the following lines are all the attempts following the DNS query where the client tried to connect to mobile.events.data.microsoft.com at 10.10.10.1:443. None of these events were logged in the Alerts tab in pfblockerng.

      I verfied that both dns.msftncsi.com and mobile.events.data.microsoft.com are in DNSBL:

      grep "dns.msftncsi.com" /var/db/pfblockerng/dnsbl/*.txt
/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:,dns.msftncsi.com,,1,Crazy_Max_Extra,DNSBL_MSFT_Crazy_Max
/var/db/pfblockerng/dnsbl/Maltrail_BD.txt:,dns-msftncsi.com,,1,Maltrail_BD,DNSBL_Malicious

      grep "mobile.events.data.microsoft.com" /var/db/pfblockerng/dnsbl/*.txt
/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:,mobile.events.data.microsoft.com,,1,Crazy_Max_Extra,DNSBL_MSFT_Crazy_Max
/var/db/pfblockerng/dnsbl/EasyPrivacy.txt:,eu-mobile.events.data.microsoft.com,,1,EasyPrivacy,DNSBL_EasyList
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,eu.mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,uk-mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,uk.mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,us-mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,us.mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers

      Can someone explain why the events were not logged? And the other strange thing that I don't understand is why the answer to the DNS query would have provided the address of mobile.events.data.microsoft.com (10.10.10.1). How is it that the DNSBL Webserver would resolve dns.msftncsi.com to mobile.events.data.microsoft.com and given that response?

      tinfoilmattT 1 Reply Last reply Reply Quote 0
      • tinfoilmattT Offline
        tinfoilmatt @dma_pf
        last edited by

        @dma_pf Debt collector, or debt relief service?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.