[Unbound-users] DNS poisoning - any ideas how this can happen?
wouter at nlnetlabs.nl
Tue Feb 10 08:27:05 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 09/02/15 18:33, Martin Bachmann wrote:
> Hi all,
> We've run into a dns poisoning issue in our company network since
> Friday. The issue is being discussed here:
> https://forum.pfsense.org/index.php?topic=87491.0 - we use Unbound
> on a pfSense. A few other users have the same problem:
> - All of a sudden, all host names resolve to a malware host. - It
> stops automatically after some time - There's no arp poisoning
> going on, so it really comes from Unbound on the pfSense
So, unbound comes with a set of commands for unbound-control that
allow you to monitor the runtime settings, and these are exactly meant
to be able to audit the settings in the runtime daemon and if they are
still correct. unbound-control list_forwards.
You could try to use packet capture of traffic going to 220.127.116.11 and
the responses. Or you can get unbound to log verbosely (high
verbosity setting), although much slower at level 4 it'll print a
dig-like output for packets received from upstream, so you can see
where the malicious data comes from.
Or just dig @18.104.22.168 from the commandline, that has the same routing
as the pfSense firewall box with unbound on it, and look at the result.
Unbound has DNSSEC capabilities that are meant to protect against
these sorts of things (only for DNSSEC signed domains of course). You
can easily turn it on with unbound-anchor -a /etc/root.key and putting
auto-trust-anchor-file: "/etc/root.key" in unbound.conf.
> While "on":
> $ host omx.ch <http://omx.ch> omx.ch <http://omx.ch> has address
> 22.214.171.124 omx.ch <http://omx.ch> mail is handled by 10
> mx1.csof.net <http://mx1.csof.net>. omx.ch <http://omx.ch> mail is
> handled by 10 mx2.csof.net <http://mx2.csof.net>.
> $host omx.ch <http://omx.ch> omx.ch <http://omx.ch> has address
> 126.96.36.199 omx.ch <http://omx.ch> mail is handled by 10
> mxhost1.omx.ch <http://mxhost1.omx.ch>
> Other wrongly resolved ips lead to sso.mlwr.io
> <http://sso.mlwr.io> (which tries to redirect back to
> xsso.<correcthost.com <http://correcthost.com>>/<someidentifier>)
> Any ideas?
> - Martin
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the Unbound-users