Path: csiph.com!aioe.org!nntp.terraraq.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Lee <ler762@gmail.com>
Newsgroups: comp.protocols.dns.bind
Subject: Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/
Date: Fri, 5 Jun 2020 20:33:21 -0400
Lines: 37
Approved: bind-users@lists.isc.org
Message-ID: <mailman.498.1591403585.942.bind-users@lists.isc.org>
References: <CALAvY8mCB8aC4fqH+x+8Y5C2mS2i5_OZxOROpgp1gQ9yTx3g-w@mail.gmail.com> <CAESnv-YsFi1cq6SFEgijq5=6TET20b6enWU9foa07AfBmVp3Fg@mail.gmail.com> <CAESnv-az+HJ6N5-GMuzd=NrTOvv_xyHWuq=yRp1cy25W+evmPQ@mail.gmail.com> <alpine.LSU.2.21.2006050904310.20305@flame.m3047> <CAD8GWsv7rbkBLc7vzqnoO9xy+vDU08ss215k_wcpzZztma7pyw@mail.gmail.com>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: usenet.stanford.edu 1591403609 3868 149.20.1.60 (6 Jun 2020 00:33:29 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
To: Fred Morris <m3047@m3047.net>
Return-Path: <ler762@gmail.com>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iWG6QftKrpLI32WzSVHLOdiqzKbvR9R2D4dCI5Yn8SA=; b=LvMvVKNmSXWiSgZWJNg8FNy2IsorkVcHVrP6npT6kZaM8EKUEAwLld35AznehwdQxb v+8AVmyF6WYBQ3G0qk5L8gCkttxu6mFbHAbW2PhLqlyF/UZrZagG2gD5vdZCkMcVs4l2 jv0qTI8/PZc+jnCkOkoFEXZk6uihax6T1W9hmTgiBfPkkdqWgIHT4tNcCnQ8E7ykX17P 7QShvhw1kS4K9BBm9LhNbtkjNO2EUX3Aza0taYrk+bI6fhKzlnikDNftiTocITXpQgMN 2HDZnIiNgKEmtY/aamqjQHTA951nsY/+yCUkEDp/2KcCi03CqK82W/0M79nsIoJIuJlJ vTgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=iWG6QftKrpLI32WzSVHLOdiqzKbvR9R2D4dCI5Yn8SA=; b=oKk156SPzbOS1OVeo3rc4k+r0CBhaj3ofGZxb2B/iQmDNgVbVxr6/i6z1odUkA60Fg ZBELN5Sj1ncdIyqNJ+rb4XdwYhpCwr46GRr8EtleLCbfXU3EBkT7PmhUzZ4Ry2BG8Gao v3RJw2oDN1t8gml2cAJDu6erlE9OiaWGeM+L6YPSTAmtCJ4liHZqXZfiP+gATzPHRati GNc9YdNgOcH9QtQ+NWayhSKeJMnNI5i++ezcv6rWscVYifp6ghOyD1qnk630Ay1l/iGy /BSCMsPlmh1gz2Xtn0TvA8JbojYfyXAZxZ//WcGg/rKTg1uA1dCD6BrrNz7c1CYVmxvV mOuw==
X-Gm-Message-State: AOAM532iMBTolpN9TaSrS8pZ2gkr6NHuI2tk0jJi4j+4gh/4bHQYjBZq +uBt7cXtIhv6dZq9+kvFfhXzXSNtBILZ0YslUO7F8Uzz
X-Google-Smtp-Source: ABdhPJzRWjF/ueCPQwRkRfKQSTnzyp4Nav5USxa8nauK/DHI8Bk4zudFdfs1B5t9+EpIMjudf71MtGTGz4Y8LnXAJoc=
X-Received: by 2002:a05:620a:21cc:: with SMTP id h12mr12394764qka.194.1591403601791; Fri, 05 Jun 2020 17:33:21 -0700 (PDT)
In-Reply-To: <alpine.LSU.2.21.2006050904310.20305@flame.m3047>
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAD8GWsv7rbkBLc7vzqnoO9xy+vDU08ss215k_wcpzZztma7pyw@mail.gmail.com>
X-Mailman-Original-References: <CALAvY8mCB8aC4fqH+x+8Y5C2mS2i5_OZxOROpgp1gQ9yTx3g-w@mail.gmail.com> <CAESnv-YsFi1cq6SFEgijq5=6TET20b6enWU9foa07AfBmVp3Fg@mail.gmail.com> <CAESnv-az+HJ6N5-GMuzd=NrTOvv_xyHWuq=yRp1cy25W+evmPQ@mail.gmail.com> <alpine.LSU.2.21.2006050904310.20305@flame.m3047>
Xref: csiph.com comp.protocols.dns.bind:15822

On 6/5/20, Fred Morris <m3047@m3047.net> wrote:
> Hrmmm... I'm reminded of something else I've seen reported on recently...
>
> On Fri, 5 Jun 2020, Ejaz Ahmed wrote:
>> localhost.cyberia.net.sa
>
> I don't know if you've been paying attention, but it's been reported that
> among others EBay has been port scanning visitor's devices [0]. Having
> localhost.ebay.com could be handy for them in terms of circumventing some
> rules on setting of cookies and the execution of scripts. Not saying
> that's what they're doing, heaven forbid.
>
> Any domain you visit could have entries in it which point to e.g.
> localhost or nonrouting addresses commonly used for gateways, things like
> that.
>
> This is not a DNS problem, it's a problem in what commonly used programs
> aid and abet in the name of "freedom of commerce" or something.

It's possible to block with rpz & something else that I can't recall
right now.  I did RPZ blocking first, so I didn't bother changing

;  return NXDOMAIN for any 127.0.0.0/8 answers
;    exceptions:
onea.net-snmp.org       CNAME   rpz-passthru.
twoa.net-snmp.org       CNAME   rpz-passthru.
localhost               CNAME   rpz-passthru.
8.0.0.0.127.rpz-ip      CNAME   .       ;  127.0.0.0/8
;   check:
;     localhost           127.0.0.1
;     onea.net-snmp.org   127.0.0.1
;     twoa.net-snmp.org   127.0.0.2 127.0.0.3

All my other host names that used to return 127.0.0.1 answers don't
any more :(  Anyone know some valid names I can use for testing?

Lee