Unable to illegal DNS record from pfsense (DNS-resolver corruption)
-
@johnpoz its a production DC, i dnt want to install wireshark as it normally requires a reboot, plus the above etl analysis shows zero bytes was exchanged for this IP, so it remain passive, no for entry i need to do some forensic to see where this IP is
-
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
wireshark as it normally requires a reboo
nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.
-
@johnpoz
6.8 is my IP i get after connecting to VPN. The reboot is for npcap driver in case of wireshark. Anyhow, here is the debug logs from the link you shared. I can't make much of it. Seems its resolving requests on its own.18.12.2022 20:24:02 1774 PACKET 000002A1016A7D50 UDP Rcv 192.168.6.8 0006 Q [0001 D NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP question info at 000002A1016A7D50 Socket = 868 Remote addr 192.168.6.8, port 61364 Time Query=171623, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0028 (40) Message: XID 0x0006 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: empty 18.12.2022 20:24:02 1774 PACKET 000002A1007E2960 UDP Snd 192.168.3.7 a4c2 Q [0001 D NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP question info at 000002A1007E2960 Socket = 13744 Remote addr 192.168.3.7, port 53 Time Query=0, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0033 (51) Message: XID 0xa4c2 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 1 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: Offset = 0x0028, RR count = 0 Name = (0) 18.12.2022 20:24:02 1774 PACKET 000002A10025D0B0 UDP Rcv 192.168.3.7 a4c2 R Q [8081 DR NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP response info at 000002A10025D0B0 Socket = 13744 Remote addr 192.168.3.7, port 53 Time Query=171623, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0043 (67) Message: XID 0xa4c2 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 1 NSCOUNT 0 ARCOUNT 1 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x0028, RR count = 0 Name = [C00C](2)sb(15)scorecardsearch(3)com(0) AUTHORITY SECTION: empty ADDITIONAL SECTION: Offset = 0x0038, RR count = 0 Name = (0) 18.12.2022 20:24:02 1774 PACKET 000002A1016A7D50 UDP Snd 192.168.6.8 0006 R Q [8081 DR NOERROR] A (2)sb(15)scorecardsearch(3)com(0) UDP response info at 000002A1016A7D50 Socket = 868 Remote addr 192.168.6.8, port 61364 Time Query=171623, Queued=171623, Expire=171626 Buf length = 0x0200 (512) Msg length = 0x0038 (56) Message: XID 0x0006 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 1 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x0028, RR count = 0 Name = [C00C](2)sb(15)scorecardsearch(3)com(0) AUTHORITY SECTION: empty ADDITIONAL SECTION: empty 18.12.2022 20:24:03 1774 PACKET 000002A100165910 UDP Rcv 192.168.6.8 0007 Q [0001 D NOERROR] AAAA (2)sb(15)scorecardsearch(3)com(0) UDP question info at 000002A100165910 Socket = 868 Remote addr 192.168.6.8, port 61365 Time Query=171624, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x0028 (40) Message: XID 0x0007 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE AAAA (28) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: empty 18.12.2022 20:24:03 1774 PACKET 000002A100165910 UDP Snd 192.168.6.8 0007 R Q [8081 DR NOERROR] AAAA (2)sb(15)scorecardsearch(3)com(0) UDP response info at 000002A100165910 Socket = 868 Remote addr 192.168.6.8, port 61365 Time Query=171624, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x005f (95) Message: XID 0x0007 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 1 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name = (2)sb(15)scorecardsearch(3)com(0) QTYPE AAAA (28) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: Offset = 0x0028, RR count = 0 Name = [C00F](15)scorecardsearch(3)com(0) ADDITIONAL SECTION: empty
-
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
wireshark as it normally requires a reboo
nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.
I found interesting thing , when i parsed log using
https://github.com/AleksandrReznik/DNSdebugLogParserfor correctly resolved local domains I get ldap as
Name = (5)_ldap(4)_tcp(6)VM-DC2(10)dummy(5)local(0)
where as for scorecardsearch it is
```
Name = (2)sb(15)scorecardsearch(3)com(0)it doesn't include the _ldap, meaning it doesn't look at local directory ldap for
-
@johnpoz also the ANSWER SECTION is empty, which is very strange.
-
This post is deleted! -
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
wireshark as it normally requires a reboo
nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.
Also in logs i found
18.12.2022 18:07:03 13F4 PACKET 000002A17EC0D4E0 UDP Rcv 192.168.3.6 0002 Q [0001 D NOERROR] A (2)sb(15)scorecardsearch(3)com(10)mydomain(5)local(0)
why it would append the suffix for external hostnames, in log this append was not done for any external hostnames, perhaps it consider itself to be authoritative NS, when in reality it is not?
-
@asadz Problem solved it was sunnyvalley ngfw (integerated with pfsense) which was doing the blacklisting, the way it did was intriguing as it re-writing the socket the response with a different mac address. The pcap at client always showed A query response from DC, but actually it was coming from ngfw firewall which was injecting the response with backhole address.
-
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
with backhole address.
of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..
A simple wireshark would of seen right away that answer was coming from a different mac address, etc.
Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.
Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?
-
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
with backhole address.
of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..
A simple wireshark would of seen right away that answer was coming from a different mac address, etc.
Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.
Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?
Yes I share your concerns, this IP made it first appearance in var/log of pfsense of 14th same day we enabled new snort rules
The DNS reply logsDec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.3.6,100.2.3.4,USDNS-reply,Dec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.4.9,100.2.3.4,USDNS-reply
Suggest sunnyvalley providing black hole response. I still think black hole address should be private to be safe and esp should not resolve or routable to www.
Also the MAC address lookup shows 0050560B0310 -> 00005E000101
One is register with VMware other is IANA. Most probably sunnyvalley cloud app is running over VMware.