Blocked sites are still accessible from network devices
While looking into the ability of my phone to access a blocked domain name, I tried some wget from my laptop and noticed that I can still wget things that are supposed to be blocked.
For example, I have *.mixmarket.biz blocked in the blocked sites list. But I can still successfully retrieve the landing page:
vsniff0315c-carnivore-fbi-doj:development bladernr$ wget www.mixmarket.biz
--2018-01-06 15:13:38-- http://www.mixmarket.biz/
Resolving www.mixmarket.biz... 89.249.22.200
Connecting to www.mixmarket.biz|89.249.22.200|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://mixmarket.biz/ [following]
--2018-01-06 15:13:38-- http://mixmarket.biz/
Resolving mixmarket.biz... 89.249.22.200
Reusing existing connection to www.mixmarket.biz:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
[ <=> ] 35,239 55.7KB/s in 0.6s
2018-01-06 15:13:39 (55.7 KB/s) - ‘index.html’ saved [35239]
likewise I have a block listing for *.v1cdn.net and yet I can still do this:
vsniff0315c-carnivore-fbi-doj:development bladernr$ wget gpla1.wpc.v1cdn.net
--2018-01-06 15:19:38-- http://gpla1.wpc.v1cdn.net/
Resolving gpla1.wpc.v1cdn.net... 72.21.81.131
Connecting to gpla1.wpc.v1cdn.net|72.21.81.131|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-01-06 15:19:38 ERROR 404: Not Found.
It's returning a 404 as there's nothing there to grab, but I can still resolve that domain name and attempt to access it.
A whois on that IP shows that it's actually resolving and connecting to a Verizon owned IP address:
NetRange: 72.21.80.0 - 72.21.95.255 CIDR: 72.21.80.0/20 NetName: EDGECAST-NETBLK-01 NetHandle: NET-72-21-80-0-1 Parent: NET72 (NET-72-0-0-0-0) NetType: Direct Allocation OriginAS: AS15133 Organization: MCI Communications Services, Inc. d/b/a Verizon Business (MCICS) RegDate: 2007-04-23 Updated: 2017-12-01 Comment: For abuse concerns, please contact abuse@verizondigitalmedia.com Ref: https://whois.arin.net/rest/net/NET-72-21-80-0-1
and if I visit that URL in a browser, I get a google malware warning page and a manual click through to either the Google page report or to click through to the originally requested URL.
Unless I'm just misreading things and the firewall block list is a redirect back into a cloud instance somewhere on Verizon's network, though if that were the case I'd have expected a redirect into AWS or some public cloud provider.
-
Jeff, all the domain blocking are done via DNS. For example in my case I have blocked coinhive.com. See if you can test the same way. (use your blocked domain replacing coinhive)
What happen below is the dnsmasq server on Firewalla is returning a blackhole address for coinhive.com
If your dns server is ipv6, let us know.
```
J-MacBook-Pro-6:aws j$ nslookup coinhive.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Name: coinhive.com
Address: 198.51.100.99 -
1. One workaround is to set the default DNS on your router to be ipv4. I think we someone got it working that way.
2. Use DHCP mode. It will turn everything into ipv4
3. Wait just couple more weeks, we will have ipv6 as an option to run. The code is already running, just need to turn it on
-
So... I think I understand at least part of the problem, how is my network supposed to know to ask the Firewalla for IP addresses when making DNS requests?
I'm running an internal; DHCP server that also provides internal DNS with forwarding. So...
vsniff0refbidoj:development bladernr$ host -v mixmarket.biz
Trying "mixmarket.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2282
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mixmarket.biz. IN A
;; ANSWER SECTION:
mixmarket.biz. 980 IN A 89.249.22.200
;; AUTHORITY SECTION:
mixmarket.biz. 521 IN NS ns1.7host.ru.
mixmarket.biz. 521 IN NS ns.7host.ru.
;; ADDITIONAL SECTION:
ns.7host.ru. 42238 IN A 89.249.22.216
ns1.7host.ru. 42238 IN A 89.249.24.10
Received 122 bytes from 192.168.0.10#53 in 11 ms
Trying "mixmarket.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2289
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mixmarket.biz. IN AAAA
;; AUTHORITY SECTION:
mixmarket.biz. 980 IN SOA ns.7host.ru. hostmaster.7host.ru. 2014090931 3600 900 1209600 1200
Received 89 bytes from 192.168.0.10#53 in 30 ms
Trying "mixmarket.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51725
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;mixmarket.biz. IN MX
;; ANSWER SECTION:
mixmarket.biz. 980 IN MX 5 mxs.mixmarket.biz.
;; AUTHORITY SECTION:
mixmarket.biz. 521 IN NS ns.7host.ru.
mixmarket.biz. 521 IN NS ns1.7host.ru.
;; ADDITIONAL SECTION:
mxs.mixmarket.biz. 1580 IN A 89.249.22.207
ns.7host.ru. 42238 IN A 89.249.22.216
ns1.7host.ru. 42238 IN A 89.249.24.10
Received 142 bytes from 192.168.0.10#53 in 3 ms
So I guess the question now is, what exactly is firewalls doing to make other things on the network get DNS information from it?
Please sign in to leave a comment.
Comments
10 comments