Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to illegal DNS record from pfsense (DNS-resolver corruption)

    Scheduled Pinned Locked Moved DHCP and DNS
    66 Posts 4 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asadz @johnpoz
      last edited by

      @johnpoz its a production DC, i dnt want to install wireshark as it normally requires a reboot, plus the above etl analysis shows zero bytes was exchanged for this IP, so it remain passive, no for entry i need to do some forensic to see where this IP is

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @asadz
        last edited by

        @asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

        wireshark as it normally requires a reboo

        nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        A 4 Replies Last reply Reply Quote 0
        • A
          asadz @johnpoz
          last edited by

          @johnpoz
          6.8 is my IP i get after connecting to VPN. The reboot is for npcap driver in case of wireshark. Anyhow, here is the debug logs from the link you shared. I can't make much of it. Seems its resolving requests on its own.

          18.12.2022 20:24:02 1774 PACKET  000002A1016A7D50 UDP Rcv 192.168.6.8     0006   Q [0001   D   NOERROR] A      (2)sb(15)scorecardsearch(3)com(0)
UDP question info at 000002A1016A7D50
  Socket = 868
  Remote addr 192.168.6.8, port 61364
  Time Query=171623, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0028 (40)
  Message:
    XID       0x0006
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name = (2)sb(15)scorecardsearch(3)com(0)
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

18.12.2022 20:24:02 1774 PACKET  000002A1007E2960 UDP Snd 192.168.3.7     a4c2   Q [0001   D   NOERROR] A      (2)sb(15)scorecardsearch(3)com(0)
UDP question info at 000002A1007E2960
  Socket = 13744
  Remote addr 192.168.3.7, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0033 (51)
  Message:
    XID       0xa4c2
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name = (2)sb(15)scorecardsearch(3)com(0)
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0028, RR count = 0
    Name = (0)

18.12.2022 20:24:02 1774 PACKET  000002A10025D0B0 UDP Rcv 192.168.3.7     a4c2 R Q [8081   DR  NOERROR] A      (2)sb(15)scorecardsearch(3)com(0)
UDP response info at 000002A10025D0B0
  Socket = 13744
  Remote addr 192.168.3.7, port 53
  Time Query=171623, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0043 (67)
  Message:
    XID       0xa4c2
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    1
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name = (2)sb(15)scorecardsearch(3)com(0)
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
    Offset = 0x0028, RR count = 0
    Name = [C00C](2)sb(15)scorecardsearch(3)com(0)
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0038, RR count = 0
    Name = (0)

18.12.2022 20:24:02 1774 PACKET  000002A1016A7D50 UDP Snd 192.168.6.8     0006 R Q [8081   DR  NOERROR] A      (2)sb(15)scorecardsearch(3)com(0)
UDP response info at 000002A1016A7D50
  Socket = 868
  Remote addr 192.168.6.8, port 61364
  Time Query=171623, Queued=171623, Expire=171626
  Buf length = 0x0200 (512)
  Msg length = 0x0038 (56)
  Message:
    XID       0x0006
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    1
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name = (2)sb(15)scorecardsearch(3)com(0)
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
    Offset = 0x0028, RR count = 0
    Name = [C00C](2)sb(15)scorecardsearch(3)com(0)
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

18.12.2022 20:24:03 1774 PACKET  000002A100165910 UDP Rcv 192.168.6.8     0007   Q [0001   D   NOERROR] AAAA   (2)sb(15)scorecardsearch(3)com(0)
UDP question info at 000002A100165910
  Socket = 868
  Remote addr 192.168.6.8, port 61365
  Time Query=171624, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0028 (40)
  Message:
    XID       0x0007
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name = (2)sb(15)scorecardsearch(3)com(0)
      QTYPE   AAAA (28)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

18.12.2022 20:24:03 1774 PACKET  000002A100165910 UDP Snd 192.168.6.8     0007 R Q [8081   DR  NOERROR] AAAA   (2)sb(15)scorecardsearch(3)com(0)
UDP response info at 000002A100165910
  Socket = 868
  Remote addr 192.168.6.8, port 61365
  Time Query=171624, Queued=0, Expire=0
  Buf length = 0x0200 (512)
  Msg length = 0x005f (95)
  Message:
    XID       0x0007
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name = (2)sb(15)scorecardsearch(3)com(0)
      QTYPE   AAAA (28)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0028, RR count = 0
    Name = [C00F](15)scorecardsearch(3)com(0)
    ADDITIONAL SECTION:
      empty
          1 Reply Last reply Reply Quote 0
          • A
            asadz @johnpoz
            last edited by

            @johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

            @asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

            wireshark as it normally requires a reboo

            nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.

            I found interesting thing , when i parsed log using
            https://github.com/AleksandrReznik/DNSdebugLogParser

            for correctly resolved local domains I get ldap as

            Name = (5)_ldap(4)_tcp(6)VM-DC2(10)dummy(5)local(0)

            where as for scorecardsearch it is
            ```
            Name = (2)sb(15)scorecardsearch(3)com(0)

            it doesn't include the _ldap, meaning it doesn't look at local directory ldap for
            A 1 Reply Last reply Reply Quote 0
            • A
              asadz @asadz
              last edited by

              @johnpoz also the ANSWER SECTION is empty, which is very strange.

              1 Reply Last reply Reply Quote 0
              • A
                asadz @johnpoz
                last edited by asadz

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • A
                  asadz @johnpoz
                  last edited by

                  @johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

                  @asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

                  wireshark as it normally requires a reboo

                  nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.

                  Also in logs i found

                  18.12.2022 18:07:03 13F4 PACKET  000002A17EC0D4E0 UDP Rcv 192.168.3.6     0002   Q [0001   D   NOERROR] A      (2)sb(15)scorecardsearch(3)com(10)mydomain(5)local(0)

                  why it would append the suffix for external hostnames, in log this append was not done for any external hostnames, perhaps it consider itself to be authoritative NS, when in reality it is not?

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    asadz @asadz
                    last edited by

                    @asadz Problem solved it was sunnyvalley ngfw (integerated with pfsense) which was doing the blacklisting, the way it did was intriguing as it re-writing the socket the response with a different mac address. The pcap at client always showed A query response from DC, but actually it was coming from ngfw firewall which was injecting the response with backhole address.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @asadz
                      last edited by

                      @asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

                      with backhole address.

                      of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..

                      A simple wireshark would of seen right away that answer was coming from a different mac address, etc.

                      Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.

                      Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        asadz @johnpoz
                        last edited by asadz

                        @johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

                        @asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):

                        with backhole address.

                        of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..

                        A simple wireshark would of seen right away that answer was coming from a different mac address, etc.

                        Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.

                        Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?

                        Yes I share your concerns, this IP made it first appearance in var/log of pfsense of 14th same day we enabled new snort rules
                        The DNS reply logs

                        Dec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.3.6,100.2.3.4,USDNS-reply,Dec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.4.9,100.2.3.4,USDNS-reply

                        Suggest sunnyvalley providing black hole response. I still think black hole address should be private to be safe and esp should not resolve or routable to www.

                        Also the MAC address lookup shows 0050560B0310 -> 00005E000101
                        One is register with VMware other is IANA. Most probably sunnyvalley cloud app is running over VMware.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.