Re: [Dnsmasq-discuss] Problem with domain names containing 3 or more minus in a row
Dnsmasq can be linked with the IDN library, which deals with non-ascii characters in domain names and converst them to punycode. I suspect that the IDN library may well barf when given a name containing punycode already. dnsmasq -v should tell you if IDn is in use or not, in the compile time options. Simon. On 11/03/2021 19:08, psycl...@web.de wrote: > Hi wkitty42, > > thanks for the reply. > This punycode indeed is a good startr. > > I found a website that converts punycode to plain text and apparently > only one of five domains seems to be punycode. > > Please don't click them, they are considered to be malicious: > address=/00.00.1596.hk/ > address=/00-0.0n-line.info/ > address=/9--9.tk/ > address=/apple.commacupdate.info/ > address=/xnylbefiabzfr6bln8a2ef.gr/ > > The last one is in fact valid puneycode. It has kyrillic/greek letters. > > The first 4 domains seems to be none puneycode, maybe only made to > distract scanner and possibly maybe even dns-blacklists? > > I didn't try to use the converted sample yet, since problems starting > dnsmask already occur with the 1st domain. > Also I don't know how to convert possible ouneycode by script. > > Anyway, thank you very much for the heads up. > > > *Gesendet:* Montag, 08. März 2021 um 13:49 Uhr > *Von:* wkitt...@gmail.com > *An:* dnsmasq-discuss@lists.thekelleys.org.uk > *Betreff:* Re: [Dnsmasq-discuss] Problem with domain names containing 3 > or more minus in a row > On 3/8/21 3:31 AM, psycl...@web.de wrote: >> Therefore I use lists called "Shalla's Blacklists" that happen to have > domains >> with multiple minus in a form like this XX.XX.1596.hk. (This > is not the >> actual domain, since it is malicious I changed one letter to X). > > eWAG in progress: > on first read, "punycode" comes to mind... it appears that you are trying to > block domains which use non-latin characters in their domain names... > have you > tried using the actual characters instead of the punycode equivalents? > > for more info on "punycode" here's a link i found in a quick search... > https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/comment-page-1/ > > personally speaking, i don't know how dnsmasq works with non-latin character > domain names... i don't recall reading anything specific about it in the > last > years i've been on the list... i look forward, with anticipation, on further > discussion about this and how dnsmasq can work with the original and > punycode > formats for the same domain name... > > -- > NOTE: No off-list assistance is given without prior approval. > *Please keep mailing list traffic on the list unless* > *a signed and pre-paid contract is in effect with us.* > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with domain names containing 3 or more minus in a row
Hi wkitty42, thanks for the reply. This punycode indeed is a good startr. I found a website that converts punycode to plain text and apparently only one of five domains seems to be punycode. Please don't click them, they are considered to be malicious: address=/00.00.1596.hk/ address=/00-0.0n-line.info/ address=/9--9.tk/ address=/apple.commacupdate.info/ address=/xnylbefiabzfr6bln8a2ef.gr/ The last one is in fact valid puneycode. It has kyrillic/greek letters. The first 4 domains seems to be none puneycode, maybe only made to distract scanner and possibly maybe even dns-blacklists? I didn't try to use the converted sample yet, since problems starting dnsmask already occur with the 1st domain. Also I don't know how to convert possible ouneycode by script. Anyway, thank you very much for the heads up. Gesendet: Montag, 08. März 2021 um 13:49 Uhr Von: wkitt...@gmail.com An: dnsmasq-discuss@lists.thekelleys.org.uk Betreff: Re: [Dnsmasq-discuss] Problem with domain names containing 3 or more minus in a row On 3/8/21 3:31 AM, psycl...@web.de wrote: > Therefore I use lists called "Shalla's Blacklists" that happen to have domains > with multiple minus in a form like this XX.XX.1596.hk. (This is not the > actual domain, since it is malicious I changed one letter to X). eWAG in progress: on first read, "punycode" comes to mind... it appears that you are trying to block domains which use non-latin characters in their domain names... have you tried using the actual characters instead of the punycode equivalents? for more info on "punycode" here's a link i found in a quick search... https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/comment-page-1/ personally speaking, i don't know how dnsmasq works with non-latin character domain names... i don't recall reading anything specific about it in the last years i've been on the list... i look forward, with anticipation, on further discussion about this and how dnsmasq can work with the original and punycode formats for the same domain name... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with domain names containing 3 or more minus in a row
On 3/8/21 3:31 AM, psycl...@web.de wrote: Therefore I use lists called "Shalla's Blacklists" that happen to have domains with multiple minus in a form like this XX.XX.1596.hk. (This is not the actual domain, since it is malicious I changed one letter to X). eWAG in progress: on first read, "punycode" comes to mind... it appears that you are trying to block domains which use non-latin characters in their domain names... have you tried using the actual characters instead of the punycode equivalents? for more info on "punycode" here's a link i found in a quick search... https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/comment-page-1/ personally speaking, i don't know how dnsmasq works with non-latin character domain names... i don't recall reading anything specific about it in the last years i've been on the list... i look forward, with anticipation, on further discussion about this and how dnsmasq can work with the original and punycode formats for the same domain name... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss