Hi wkitty42,
thanks for the reply.
This punycode indeed is a good startr.
I found a website that converts punycode to plain text and apparently only one of five domains seems to be punycode.
Please don't click them, they are considered to be malicious:
address=/0----0.0----0.1596.hk/
address=/0------------0-------------0.0n-line.info/
address=/9------9.tk/
address=/apple.com----macupdate.info/
address=/xn----ylbefiabzfr6bln8a2ef.gr/
address=/0------------0-------------0.0n-line.info/
address=/9------9.tk/
address=/apple.com----macupdate.info/
address=/xn----ylbefiabzfr6bln8a2ef.gr/
The last one is in fact valid puneycode. It has kyrillic/greek letters.
The first 4 domains seems to be none puneycode, maybe only made to distract scanner and possibly maybe even dns-blacklists?
I didn't try to use the converted sample yet, since problems starting dnsmask already occur with the 1st domain.
Also I don't know how to convert possible ouneycode by script.
Anyway, thank you very much for the heads up.
Gesendet: Montag, 08. März 2021 um 13:49 Uhr
Von: wkitt...@gmail.com
An: dnsmasq-discuss@lists.thekelleys.org.uk
Betreff: Re: [Dnsmasq-discuss] Problem with domain names containing 3 or more minus in a row
Von: wkitt...@gmail.com
An: dnsmasq-discuss@lists.thekelleys.org.uk
Betreff: Re: [Dnsmasq-discuss] Problem with domain names containing 3 or more minus in a row
On 3/8/21 3:31 AM, psycl...@web.de wrote:
> Therefore I use lists called "Shalla's Blacklists" that happen to have domains
> with multiple minus in a form like this X----X.X----X.1596.hk. (This is not the
> actual domain, since it is malicious I changed one letter to X).
eWAG in progress:
on first read, "punycode" comes to mind... it appears that you are trying to
block domains which use non-latin characters in their domain names... have you
tried using the actual characters instead of the punycode equivalents?
for more info on "punycode" here's a link i found in a quick search...
https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/comment-page-1/
personally speaking, i don't know how dnsmasq works with non-latin character
domain names... i don't recall reading anything specific about it in the last
years i've been on the list... i look forward, with anticipation, on further
discussion about this and how dnsmasq can work with the original and punycode
formats for the same domain name...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> Therefore I use lists called "Shalla's Blacklists" that happen to have domains
> with multiple minus in a form like this X----X.X----X.1596.hk. (This is not the
> actual domain, since it is malicious I changed one letter to X).
eWAG in progress:
on first read, "punycode" comes to mind... it appears that you are trying to
block domains which use non-latin characters in their domain names... have you
tried using the actual characters instead of the punycode equivalents?
for more info on "punycode" here's a link i found in a quick search...
https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/comment-page-1/
personally speaking, i don't know how dnsmasq works with non-latin character
domain names... i don't recall reading anything specific about it in the last
years i've been on the list... i look forward, with anticipation, on further
discussion about this and how dnsmasq can work with the original and punycode
formats for the same domain name...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
