Unable to illegal DNS record from pfsense (DNS-resolver corruption)
-
@johnpoz also the ANSWER SECTION is empty, which is very strange.
-
This post is deleted! -
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
wireshark as it normally requires a reboo
nope never seen it require that.. Have installed it hundreds of time - I have never seen it require a reboot that I can ever remember.
Also in logs i found
18.12.2022 18:07:03 13F4 PACKET 000002A17EC0D4E0 UDP Rcv 192.168.3.6 0002 Q [0001 D NOERROR] A (2)sb(15)scorecardsearch(3)com(10)mydomain(5)local(0)why it would append the suffix for external hostnames, in log this append was not done for any external hostnames, perhaps it consider itself to be authoritative NS, when in reality it is not?
-
@asadz Problem solved it was sunnyvalley ngfw (integerated with pfsense) which was doing the blacklisting, the way it did was intriguing as it re-writing the socket the response with a different mac address. The pcap at client always showed A query response from DC, but actually it was coming from ngfw firewall which was injecting the response with backhole address.
-
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
with backhole address.
of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..
A simple wireshark would of seen right away that answer was coming from a different mac address, etc.
Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.
Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?
-
@johnpoz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
@asadz said in Unable to illegal DNS record from pfsense (DNS-resolver corruption):
with backhole address.
of 100.1.2.4 ? that is a HORRIBLE blackhole choice that is for sure..
A simple wireshark would of seen right away that answer was coming from a different mac address, etc.
Again if the DC was putting traffic on the wire, would of seen that and know from upstream something was returning the 100.x address.
Glad you found it.. but using a valid public IP, ie 100.1.2.4 is horrible horrible choice of blackhole address.. Maybe it was a typo and was suppose to be 10.1.2.4?
Yes I share your concerns, this IP made it first appearance in var/log of pfsense of 14th same day we enabled new snort rules
The DNS reply logsDec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.3.6,100.2.3.4,USDNS-reply,Dec 14 14:31:08,reply,A,A,Unk,sb.scorecardresearch.com,192.168.4.9,100.2.3.4,USDNS-reply
Suggest sunnyvalley providing black hole response. I still think black hole address should be private to be safe and esp should not resolve or routable to www.
Also the MAC address lookup shows 0050560B0310 -> 00005E000101
One is register with VMware other is IANA. Most probably sunnyvalley cloud app is running over VMware.
