PfSense trying shady connections?

garyd9

it's not pfblocker.  It's DNS.

I'm assuming that you have pfsense configured as default, meaning that it'll be a DNS Resolver (and not a forwarder.)  So, when pfsense (or any machine using pfsense for DNS) wants to resolve a FQDN that ends with ".org", this is what happens:

First, "unbound" (the name of the program that's doing DNS resolution) will query the "root servers" to find out the name of a machine that can resolve domain names that end with .org.  Those root servers are configured within unbound (but not seen in the interface.)  One of those root servers sees that you want to resolving something.org, so it points you to the authority for ".org"  In somewhat readable format, that response looks like this:

;; AUTHORITY SECTION:
org.                    639     IN      SOA     a0.org.afilias-nst.info. noc.afilias-nst.info. 2012137076 1800 900 604800 86400

See that hostname?  Look familiar?

That just tells unbound to ask a0.org.afilias-nst.info or noc.afilias-nst.info for more information (as they are authorities for all domain names that end with .org.)

There's nothing going wrong here.  It's working fine.  If unbound is blocked from contacting a0.org.afilias-nst.info, it'll just ask noc.afilias-nst.info instead.

BTW, in an extremely odd twist of being right for the wrong reasons:  It really IS ntp causing that alert.  ntp is trying to resolve "0.pfsense.ntp.org", which kicks off the sequence through DNS.

BBcan177

@campusantu:

I uninstalled pfBlocker and plan not to reinstall it for 24/48h just to confirm it's that, so I can't see myself.

Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code… and if there was some hidden malicious IP being requested by the package itself I would know. Any non-believers can goto gitHub and review all the open sourced package code and let me know so it can be removed :^)

As for Lists/Feeds... You can add additional IP and DNSBL Feeds to the package, and these are the only URLs that the package will pull, except for MaxMind (Used for the GeoIP database) and Alexa (Used for DNSBL Whitelisting)...

In looking at these IPs with tcpiputils.com [ 199.19.56.1 and 199.249.120.1 ]

http://www.tcpiputils.com/browse/ip-address/199.19.56.1
http://www.tcpiputils.com/browse/ip-address/199.249.120.1

199.19.56.1    is listing 1 Mail server  and 3 Name Servers at that IP.
199.249.120.1 is listing 2 Mail servers and 3 Name Servers at that IP.

So something on your LAN is making requests to these IPs. I assume that since you installed pfSense, that your using the DNS Resolver. If its in "Resolver" mode, than DNS requests are going out to the 13 Root DNS servers for DNS Resolution which then goes down the tree to find the correct DNS Resolution for each request.

Your "ASUS" was probably set to your ISP DNS server, or Google DNS which uses their own DNS cache for lookups so it may be that it resolved differently and was not previously noticable.

If you can run a packet capture and review the those pcaps you will find out whats going on exactly in your network, as of right now, its all speculation.

I have sent TrendMicro and Afilias a tweet to see if they have listed those two IPs in err… Will post back once I hear something...

A Former User

@garyd9:

I'm assuming that you have pfsense configured as default, meaning that it'll be a DNS Resolver (and not a forwarder.)

Yes, as already said but probably was lost in the messages. I superficially assumed it would ask the router instead of trying itself, gave little weight to the dns section when skimming through settings. Seems like at 2am I'm not that awake anymore.. Can you guess what time is it here now?  ;D

@BBcan177:

Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code… and if there was some hidden malicious IP being requested by the package itself I would know. Any non-believers can goto gitHub and review all the open sourced package code and let me know so it can be removed :^)

I thought more about a modified ISO, like what happened with linux mint months ago, I know pfSense and its packages are extensively used so someone would have found out already :)

@BBcan177:

So something on your LAN is making requests to these IPs. I assume that since you installed pfSense, that your using the DNS Resolver. If its in "Resolver" mode, than DNS requests are going out to the 13 Root DNS servers for DNS Resolution which then goes down the tree to find the correct DNS Resolution for each request.

Well then I guess it's pfSense itself since nothing relies on it. It's the new guy in the block :P

@BBcan177:

Your "ASUS" was probably set to your ISP DNS server, or Google DNS which uses their own DNS cache for lookups so it may be that it resolved differently and was not previously noticable.

If you can run a packet capture and review the those pcaps you will find out whats going on exactly in your network, as of right now, its all speculation.

Yep, Google DNS. Will run wireshark when I'll have time, maybe during the weekend.

I'll wait for your response about the tweet, and report back when I run wireshark.

Thank you all for the help  :)

KOM

Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…

The iNerd, coming soon from Apple!  ;D

johnpoz

So this feel good tool your running on your router that says it blocks stuff to bad places..  It doesn't even list what port it blocked??

A Former User

@johnpoz:

So this feel good tool your running on your router that says it blocks stuff to bad places..  It doesn't even list what port it blocked??

Erm… Nope. I'd hope it says something more in the logs, but the record was already out of it. I'll get a request blocked when I'm home, to see if it gets there. Keep in mind it's not the standard router firewall

johnpoz

If it does not list the port the traffic is going to to its completely pointless to even log it as blocked..  And if they are blocking the netblocks that the root servers are on that is a huge problem.. I would open a ticket with them about that for sure.

dennypage

@BBcan177:

Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…

Really?  :)

A Former User

@johnpoz:

If it does not list the port the traffic is going to to its completely pointless to even log it as blocked..  And if they are blocking the netblocks that the root servers are on that is a huge problem.. I would open a ticket with them about that for sure.

Ok so the connection doesn't get logged on syslog, seems like the AiProtection is just entirely separate. I'll look into opening the ticket or opening a pull request for the port to be added to the mailed details. Meanwhile I found the IP mentioned in other threads on this forum and on twitter and google, saying it's a botnet sinkhole, even if the posts are quite old. Still not convinced they're not bad , even if it's not pfSense fault :P

Edit: took a look at merlinwrt sources, seems like that part comes from a precompiled module, so pull request is a no-go

garyd9

A botnet sink running on a TLD root server?  That's an interesting thought, and a bit frightening.  That hostname is queried millions of times a day to find .org domain name servers, and if it's compromised… that's not a happy thought.  (Yes, my own configuration returned that server as an .org TLD server.. and I have DNSSEC enabled and active.)

It really makes you wonder just how fragile the whole thing could be...

A Former User

@garyd9:

A botnet sink running on a TLD root server?  That's an interesting thought, and a bit frightening.  That hostname is queried millions of times a day to find .org domain name servers, and if it's compromised… that's not a happy thought.  (Yes, my own configuration returned that server as an .org TLD server.. and I have DNSSEC enabled and active.)

It really makes you wonder just how fragile the whole thing could be...

I don't know what to say at this point…  :-
I tried the other afilias ips on trend micro web reputation, they're untested. Anything else we can do to verify/disprove?

BBcan177

@KOM:

Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…

The iNerd, coming soon from Apple!  ;D

Next time i will be more visceral and provide a horrific pic to support my thoughts :)      s/inerds/innards/
ps - This is not a spelling bee…  :P

RonpfS

http://www.urbandictionary.com/define.php?term=iNerd

BBcan177

@campusantu:

@garyd9:

A botnet sink running on a TLD root server?  That's an interesting thought, and a bit frightening.  That hostname is queried millions of times a day to find .org domain name servers, and if it's compromised… that's not a happy thought.  (Yes, my own configuration returned that server as an .org TLD server.. and I have DNSSEC enabled and active.)

It really makes you wonder just how fragile the whole thing could be...

I don't know what to say at this point…  :-
I tried the other afilias ips on trend micro web reputation, they're untested. Anything else we can do to verify/disprove?

I am going out on a strong limb and say that these are False Positives…
I have checked over 50 different Blocklists and the IP reputation is fine... Except for what TrendMicro is reporting. However, their site seems to be URL based and not IP based... Will never know as the details about the service is slim to none...

Food for thought:
https://www.asus.com/ca-en/Networking/RT-AC5300/
https://www.reddit.com/r/privacy/comments/3vxg07/does_trend_micro_steal_web_browsing_history/
https://twitter.com/flexhub/status/587315109992800257

You might want to tweet to the Dev of Asuswrt-Merlin:
https://twitter.com/RMerlinDev

The github branch for Asuswrt-Merlin if you are interested:
https://github.com/RMerl/asuswrt-merlin/search?p=1&q=AiProtection&utf8=%E2%9C%93

Trend Micro has yet to reply about the FP... I am not a customer of theirs, so best left in your court.
https://twitter.com/BBcan177/status/770737622121611268

KOM

This is not a spelling bee…

I was just having some fun.  You know I still love you  ;D

BBcan177

@KOM:

This is not a spelling bee…

I was just having some fun.  You know I still love you  ;D

Hehe…. me too...  8)

A Former User

I am going out on a strong limb and say that these are False Positives…
I have checked over 50 different Blocklists and the IP reputation is fine... Except for what TrendMicro is reporting. However, their site seems to be URL based and not IP based... Will never know as the details about the service is slim to none...

Food for thought:
https://www.asus.com/ca-en/Networking/RT-AC5300/
https://www.reddit.com/r/privacy/comments/3vxg07/does_trend_micro_steal_web_browsing_history/
https://twitter.com/flexhub/status/587315109992800257

You might want to tweet to the Dev of Asuswrt-Merlin:
https://twitter.com/RMerlinDev

The github branch for Asuswrt-Merlin if you are interested:
https://github.com/RMerl/asuswrt-merlin/search?p=1&q=AiProtection&utf8=%E2%9C%93

Trend Micro has yet to reply about the FP... I am not a customer of theirs, so best left in your court.
https://twitter.com/BBcan177/status/770737622121611268

Didn't get the reason behind the RT-AC5300 link, read all the others. Well, to be honest that's what any web reputation system does, so one can choose either to use it or not. I saw your tweet and bump, seems to go unnoticed  :-
As per pfSense I guess I'll be playing with it a little more before deciding, might as well use it between my physical LAN and my VMs to try it out.
Thanks for the help

Bardecome

This post is deleted!