-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Martin,
On 09/02/15 18:33, Martin Bachmann wrote: > Hi all, > > We've run into a dns poisoning issue in our company network since > Friday. The issue is being discussed here: > https://forum.pfsense.org/index.php?topic=87491.0 - we use Unbound > on a pfSense. A few other users have the same problem: > > - All of a sudden, all host names resolve to a malware host. - It > stops automatically after some time - There's no arp poisoning > going on, so it really comes from Unbound on the pfSense So, unbound comes with a set of commands for unbound-control that allow you to monitor the runtime settings, and these are exactly meant to be able to audit the settings in the runtime daemon and if they are still correct. unbound-control list_forwards. You could try to use packet capture of traffic going to 8.8.8.8 and the responses. Or you can get unbound to log verbosely (high verbosity setting), although much slower at level 4 it'll print a dig-like output for packets received from upstream, so you can see where the malicious data comes from. Or just dig @8.8.8.8 from the commandline, that has the same routing as the pfSense firewall box with unbound on it, and look at the result. Unbound has DNSSEC capabilities that are meant to protect against these sorts of things (only for DNSSEC signed domains of course). You can easily turn it on with unbound-anchor -a /etc/root.key and putting auto-trust-anchor-file: "/etc/root.key" in unbound.conf. Best regards, Wouter > Example: > > While "on": > > $ host omx.ch <http://omx.ch> omx.ch <http://omx.ch> has address > 195.22.26.248 omx.ch <http://omx.ch> mail is handled by 10 > mx1.csof.net <http://mx1.csof.net>. omx.ch <http://omx.ch> mail is > handled by 10 mx2.csof.net <http://mx2.csof.net>. > > Normally: > > $host omx.ch <http://omx.ch> omx.ch <http://omx.ch> has address > 62.48.3.132 omx.ch <http://omx.ch> mail is handled by 10 > mxhost1.omx.ch <http://mxhost1.omx.ch> > > Other wrongly resolved ips lead to sso.mlwr.io > <http://sso.mlwr.io> (which tries to redirect back to > xsso.<correcthost.com <http://correcthost.com>>/<someidentifier>) > > Any ideas? > > - Martin > > > > > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJU2cDZAAoJEJ9vHC1+BF+ND9MP/Ait2iHPkKyy3kxG5RXEw1b5 IH1lbaWeUglsAJG6kjjKuS5bOAzK6I9AetezYMAXHkYUt7ApaaZTJKEbx5QeGH8g bvfanqigLLd2Xvm9p7SMj/zCvg1ShGQL7eOtS07QImM3Z+Eu845hN3FtzUKWHthI XlcsAbBJEipDQTLU2Z37lKO+hXptWANtXEdFrWhKGVJ/RnX11KrFYuQU09oNxajN WeXtcMq0Q4/xKiglWlcEZTVuY6nDvNDGPf/mVeSq0YtUMJ/JP8nmpJyQ0We8sUDy BEQ3Y05r1Yp2wcmmGZWNLeFK/mSG5jcKIyPiUrRZnKjpn2HVlkE0/ZTAHSJXfPtY O3CefQS4dbpOE54lLnDYvAwQ8SwsUnwQ+rIhCM8YLahZiM7+oIewTMMuP0/O3AFe oRAk8cAfzOmYunLbDd1V9zDPdkUx/oNXcy0YmyWwAedz7EHEba/233FMuWviIBSY s3HkhBH2wV1/jjx08A5MxFAr1H4jQpUh64R0/3Xc6wZRKFKaX1Fo5Ss80yqskesX TcU4hLxrVJIAevg2qb6+7I5RsQO+8wYxPVEGkwK4gDFkE0YZnxyk2yuC5uIsgPF2 QtdXcWLhYyA3JPbUxk5WRI0siS7N5DftXEk2gKL2Ds3ukhW5gG4LisUtqNZhgbO9 jsM1kpIW8G30NsEZIcBH =6GJv -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
