Unbound DNS vulnerability exploit DDOS attack

Started by scalaechlon, December 01, 2020, 06:15:40 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
December 02, 2020, 03:54:17 PM #15
December 02, 2020, 03:58:53 PM #16
Add the mentioned URL to a dummy list (e.g. Easy List) and hand it over to the configuration script. Then look, what happens  :)
OPNsense 24.7.11_2-amd64
December 02, 2020, 04:31:13 PM #17
But the question is "how did that URL get into the list in the first place?"
Garbage in - garbage out. I won't expect unbound to gracefully skip syntactically incorrect config statements.

In my own installation e.g. the "Blocklist.site <something>" lists never worked for me and just crashed unbound. I am only using Ad*, Easy*, NoCoin, Simple*, Steven and Yoyo for that reason.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 02, 2020, 06:27:39 PM #18 Last Edit: December 02, 2020, 06:31:37 PM by Fright
imho
it's definitely garbage on dnsbl record. something like
Code Select
"0.0.0.0 adelogs.adobe.com  ister.co.uk/2014/10/07/adobe_digital_editions_4_caught_snooping_into_ebook_collections_of_users/ #See http://www.theregister.co.uk/2014/10/07/adobe_digital_editions_4_caught_snooping_into_ebook_collections_of_users/"
but perhaps it makes sense to make it with temporary dnsbl.conf file? check it with unbound-checkconf  (it doesn't check FQDN syntax, but at least it will catch the  label length  overflow error) and copy to dnsbl.conf?
December 02, 2020, 07:43:41 PM #19
Quote from: pmhausen on December 02, 2020, 04:31:13 PM
But the question is "how did that URL get into the list in the first place?"

In my eyes this doesn't matter because the lists' intended use cases are manifold. It could be a copy and paste error made by humans
OPNsense 24.7.11_2-amd64
December 02, 2020, 08:17:59 PM #20
Quote from: Fright on December 02, 2020, 06:27:39 PM
imho
it's definitely garbage on dnsbl record. something like
Code Select
"0.0.0.0 adelogs.adobe.com  ister.co.uk/2014/10/07/adobe_digital_editions_4_caught_snooping_into_ebook_collections_of_users/ #See http://www.theregister.co.uk/2014/10/07/adobe_digital_editions_4_caught_snooping_into_ebook_collections_of_users/"
but perhaps it makes sense to make it with temporary dnsbl.conf file? check it with unbound-checkconf  (it doesn't check FQDN syntax, but at least it will catch the  label length  overflow error) and copy to dnsbl.conf?

Do you know the list which includes it?
December 02, 2020, 08:35:51 PM #21
Unfortunately these blocklists definitely may contain garbage data.
Additionaly they use different formats, which may be the reason why "NoCoin" works and "Blocklist.site <something>" doesn't.


As far as i can see filtering of blocklist entries got lost when refactoring download script which happened with these commits:
https://github.com/opnsense/core/commit/5a364f741ce12ada6351a4cdcbeb0cf628c15ab3
https://github.com/opnsense/core/commit/f16b67232c6000137f210eba8567a8abe46d9b1d
December 02, 2020, 08:42:13 PM #22
I have chosen EVERY blocklist site, but no match on this entry
December 02, 2020, 09:03:31 PM #23 Last Edit: December 02, 2020, 09:06:47 PM by Fright
@mimugmail
QuoteDo you know the list which includes it?
I wish I knew )
I also want to test regex for whitelist )
and wondering why default_pattern_2 not working for this
(although there is a feeling that default_pattern_2 not entirely correct for fqdn syntax check)
but nevertheless, i think a "broken" fqdn is possible that satisfies the "right" regexp, but overflows the label length imho.
so unbound-checkconf would not be useless
December 02, 2020, 09:28:30 PM #24 Last Edit: December 05, 2020, 07:56:51 AM by Fright
test bad dnsbl:
--no more link here--
should import just one string.
now imports everything
December 02, 2020, 09:36:48 PM #25 Last Edit: December 03, 2020, 07:36:30 AM by Fright
seems to work (does not import broken records) with this regex in Blacklist-whitelist domain
Code Select
^(?![a-zA-Z0-9._-]+$)
imho may work as a temporary workaround
expressions like:
https://www.regextester.com/103452
https://regexr.com/3g5j0
(inverted)
filter out even more garbage records. but cannot be added via GUI
December 03, 2020, 07:16:39 AM #26 Last Edit: December 04, 2020, 05:20:06 PM by Fright
some test results
added
Code Select

# exclude substandard and garbage entries
default_pattern_4=^(?!(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-_]{0,62}[a-zA-Z0-9]\.)+[a-zA-Z0-9-]{2,63}[\.]?$))

to blacklist template to filter broken and substandard  entries
check on "Blocklist.site Malware" dnsbl: 1108  of  456375 entries filtered (IPs and substandard  entries).
filtered entries attached
December 04, 2020, 05:01:38 PM #27
Quote from: Fright on December 03, 2020, 07:16:39 AM
filtered entries attached

The garbage list looks fine but contains some valid entries (e.g. securelogin.paypal.it.webapps.mpp.home.autenticazione.cfrsfp8hcpkwdzsetpo8vir0wi1t64yyfq5knbn4ckw231kifi4nz3a9st5m.jafinafara.f).

OPNsense 24.7.11_2-amd64
December 04, 2020, 05:12:28 PM #28 Last Edit: December 04, 2020, 05:14:54 PM by Fright
have you tried to resolve\use this fqdns?
afaik tld min length is 2
i think its parsing error on dnsbl side.
full fqdn was:
https://vulners.com/rst/RST:E77B01C1-CBC6-3AC1-91C0-2825F87F434C
December 04, 2020, 07:10:01 PM #29
Quote from: Fright on December 04, 2020, 05:12:28 PM
afaik tld min length is 2

That's not correct. FQDNs consist of one or more labels, where each label consists of at least one letter or digit. It's a decision of IANA that nowadays no one character TLDs are existing. But the tech specs still allow them.

A detailed description and restrictions can be found in rfc1035, rfc1123, rfc1912.
OPNsense 24.7.11_2-amd64
Print
Go Up Pages 1 2 3
User actions