DNSBL Resolving Some Domains To 10.10.10.1 But Does Not Log Them

dma_pf

DNSBL is blocking some domains but the events do not show up in the Alerts tab in pfblockerng-devel (v3.2.10). I ran a pcap on the client via pfsense (2.8.1-RELEASE) and loaded it into Wireshark. Here is a a snippet of the pcap:

acac-8434ae288494-pcap-resized.png) image url)
The first line is the actual dns request from the client trying to resolve dns.msftncsi.com. The actual query in the pcap was:

        dns.msftncsi.com: type A, class IN
            Name: dns.msftncsi.com
            [Name Length: 16]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001

The second line was the answer to the query which was:

Answers
            dns.msftncsi.com: type A, class IN, addr 10.10.10.1
                Name: dns.msftncsi.com
                Type: A (Host Address) (1)
                Class: IN (0x0001)
                Time to live: 3600 (1 hour)
                Data length: 4
                Address: mobile.events.data.microsoft.com (10.10.10.1)

And the following lines are all the attempts following the DNS query where the client tried to connect to mobile.events.data.microsoft.com at 10.10.10.1:443. None of these events were logged in the Alerts tab in pfblockerng.

I verfied that both dns.msftncsi.com and mobile.events.data.microsoft.com are in DNSBL:

grep "dns.msftncsi.com" /var/db/pfblockerng/dnsbl/*.txt
/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:,dns.msftncsi.com,,1,Crazy_Max_Extra,DNSBL_MSFT_Crazy_Max
/var/db/pfblockerng/dnsbl/Maltrail_BD.txt:,dns-msftncsi.com,,1,Maltrail_BD,DNSBL_Malicious

grep "mobile.events.data.microsoft.com" /var/db/pfblockerng/dnsbl/*.txt
/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:,mobile.events.data.microsoft.com,,1,Crazy_Max_Extra,DNSBL_MSFT_Crazy_Max
/var/db/pfblockerng/dnsbl/EasyPrivacy.txt:,eu-mobile.events.data.microsoft.com,,1,EasyPrivacy,DNSBL_EasyList
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,eu.mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,uk-mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,uk.mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,us-mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers
/var/db/pfblockerng/dnsbl/Lightswitch05.txt:,us.mobile.events.data.microsoft.com,,1,Lightswitch05,DNSBL_Firebog_Trackers

Can someone explain why the events were not logged? And the other strange thing that I don't understand is why the answer to the DNS query would have provided the address of mobile.events.data.microsoft.com (10.10.10.1). How is it that the DNSBL Webserver would resolve dns.msftncsi.com to mobile.events.data.microsoft.com and given that response?

tinfoilmatt

@dma_pf Debt collector, or debt relief service?

Gertjan

@dma_pf said in DNSBL Resolving Some Domains To 10.10.10.1 But Does Not Log Them:

"mobile.events.data.microsoft.com

I couldn't find that host name in the "/var/db/pfblockerng/dnsbl/Max_MS.txt" file - where does your "/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:" come from ?

I picked an host name from the Max_MS.txt file, and tested :

C:\Users\Gauche>nslookup umwatsonc.events.data.microsoft.com
Serveur :   pfSense.brit-hotel-fumel.net
Address:  2a01:cb19:907:dead:beef:fe29:392c

Réponse ne faisant pas autorité :
Nom :    umwatsonc.events.data.microsoft.com
Addresses:  ::
          0.0.0.0

and the request was 0.0.0.0 blocked - I'm not using "pfSense pfBlocker Web server logging" (DNSBL Webserver/VIP ) as the "you are blocked web page" only shows up when the end browser user visits http sites, something that doesn't exist anymore on the Internet. All sites are https these days, and https sites can be redirected to "another https web server" like the "pfSense pfBlocker Web server".

dma_pf

@Gertjan Thanks a lot for your help. This really helped me:

I'm not using "pfSense pfBlocker Web server logging" (DNSBL Webserver/VIP ) as the "you are blocked web page" only shows up when the end browser user visits http sites, something that doesn't exist anymore on the Internet. All sites are https these days, and https sites can be redirected to "another https web server" like the "pfSense pfBlocker Web server".

With that hint I was able to resolve my issue by:

1. Unchecking the Python Group Policy Enable checkbox for the DNSBL Webserver Configuration on the DNSBL tab in pfblockerng.
2. Checking the Permit Firewall Rules Enable checkbox and selecting the appropriate interfaces for the DNSBL Configuration on the DNSBL tab in pfblockerng.
3. Forced Update | All.

It now appears that all the blocked domains are appearing on the Alerts tab in pfblockerng.

I couldn't find that host name in the "/var/db/pfblockerng/dnsbl/Max_MS.txt" file - where does your "/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:" come from ?

I get that DNSBL, and 2 others, from the original maintainer (https://github.com/crazy-max/WindowsSpyBlocker):

https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt.

I really appreciate your help!