On 17/06/17 15:01, Stuart Henderson wrote: > On 2017-06-17, Maurice McCarthy <[email protected]> wrote: > > On 17/06/17 09:27, Stuart Henderson wrote: > >> On 2017-06-16, Maurice McCarthy <[email protected]> wrote: > >> > Ooops! ... Well, I moved the .Xauthority file aside and restarted X to > >> > create a new one. Obviously it has one line with my hostname in it. But > >> > > >> > $ xauth list > >> > fresh.yem/unix:0 MIT-MAGIC-COOKIE-1 ... > >> > advancedsearch.virginmedia.com:0 MIT-MAGIC-COOKIE-1 ... > >> > > >> > And only now did I notice that the magic cookie is identical for both > >> > entries. This mystifies me. (BTW apparently Virgin has historically used > >> > a bit of DNS hijacking so I bunged this line into /etc/hosts before > >> > restarting X. > >> > > >> > 127.0.0.1 advancedsearch.virginmedia.com ) > >> > >> It'll be because of your hosts entry. Try xauth -n list instead. > >> > >> > > > > Ahhhh, I see. The hosts entry says that advancedsearch.virginmedia.com > > is an alias for the local host. > > > > $ xauth -n list > > fresh.yem/unix:0 MIT-MAGIC-COOKIE-1 ... > > 81.200.64.50:0 MIT-MAGIC-COOKIE-1 ... > > > > So this tells me why I'm getting this list now. But that hosts entry was > > only made _after I'd found virginmedia in the xauth list. > > Hmm - I was expecting maybe 127.0.0.1 in there - it looks like > 81.200.64.50 really is the address of advancedsearch.virginmedia.com. > I don't know the full details of how X figures out which hosts to add > there but I think one or other of these are involved, > > 1. looks like your local hostname is "fresh.yem", attempting to resolve > that from VM DNS will hit their NXDOMAIN hijacking and return either > 81.200.64.50 or a CNAME to advancedsearch.virginmedia.com or similar. > > 2. maybe something has done a reverse lookup for 127.0.0.1 and got > advancedsearch.virginmedia.com from the hosts file, then done a forward > lookup for advancedsearch.virginmedia.com and added access to the IP > address resolved for it. > > Adding to /etc/hosts for things which you want to "block" is fairly > common practice but I've never been a huge fan.. For this case where > you're just working around the ISP resolver hijacking NXDOMAIN > responses I'd usually take the workaround of running my own local > recursive DNS server (e.g. unbound) and use that instead of the > ISP's. > > Going back to the original question, I don't think it's an intrusion, > just due to less-than-ideal things with the DNS setup. > > Also note that X doesn't normally listen to TCP anyway any more, this > was changed around 2015. You would need to use the -listen flag, as > well as remove the default firewall rules that block 6000:6010. > >
Thanks for that Stuart, fresh.yem is my host and, obviously, starting X before switching on the router prevents the xauth entry from ever appearing. I'll have a read of the unbound man pages and see if I can fathom that. I tried removing the resolv.conf entry nameserver 192.168.0.1 by playing with dhclient.conf but neither 'ignore' nor 'supercede' statements worked. Prepending the opendns servers did worked as expected nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 192.168.0.1 lookup file bind (resolv.conf.tail only appends nameservers) $ nslookup 8.8.8.8 Server: 208.67.222.222 Address: 208.67.222.222#53 Non-authoritative answer: 8.8.8.8.in-addr.arpa name = google-public-dns-a.google.com. Still, if I can understand unbound. I'd give that a go. Cheers Moss
