What is 14.1.168.192.in-addr.arpa?

Help
21

Do truncated UDP packets result in valid TCP packets?

I have decided to only allow my university network, my mobile phone provider and the local network. As all three are quite small and I think I should be somewhat safe, without having to setup a VPN.

Funnily enough just after my post about my PiHole being open to the public, it got hundreds of DNS requests. I don't think my IP was posted in the logs above. So I was either very lucky to just now have been included in a botnet or does this forum log IP addresses?

22

I guess so.
You can query your own setup solely via TCP if want:

dig +short +tcp test.openresolver.com TXT @<YOUR_PUBLIC_IP>

Ps. I was a bit off on the UDP/TCP bit:

1 Like
23

Alright, I have been convinced that an open resolver is a bad idea. Especially since some botnet started using it to query bja.gov for whatever reason.

I'm nowing using it via a VPN which was pretty easy with the tutorial from the pihole docs.

Thank you everyone for your patience and your help.

2 Likes
24

Aha, that domain has got a lengthy reply to an ANY query (perfectly suited for DDoS):

pi@noads:~ $ host -a bja.gov
Trying "bja.gov"
Trying "bja.gov"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12159
;; flags: qr rd ra; QUERY: 1, ANSWER: 31, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bja.gov.                       IN      ANY

;; ANSWER SECTION:
bja.gov.                196     IN      SOA     dnsgm-dc2.admin.oss.doj.gov. root.usdoj.gov. 1546 10800 1080 2592000 600
bja.gov.                196     IN      RRSIG   SOA 8 2 600 20190529083441 20190519073441 14814 bja.gov. LUx0TNik2Dz/uMTNAwsKnmac7haJnwBQ4WnyQKjmOEEa2Bt/kQTmgVJ4 UdH2it+ZgeF8PHzxSK7wPgsW4qDQMvVORYVkib+gRqGTeShikZMrUkX4 SqW9uOlGd9BP2jcLLUgafAzHwfwKSOmwmAt/ichKOqBDm9ngfu15KP0/ /V8=
bja.gov.                196     IN      RRSIG   SOA 8 2 600 20190529083441 20190519073441 20403 bja.gov. i7a304VPliZ+q8wpDwK2+vqdwBupQBKWv2HiGFwj1AxQ9kcrFGNn2Wc4 1RnqR+/cNmTWQUv+bGxG9Hhb3hFyoWwcml85a30YsfbMG0g8Fn+2rHDx gShCd7/w1hlUn6F2TF0BDUmy3l8Q3Z7d9s/afvVG3LQImk0/dRfVYWNs z7Y=
bja.gov.                196     IN      AAAA    2607:f330:5fa1:1021::a
bja.gov.                196     IN      RRSIG   AAAA 8 2 600 20190528061043 20190518051043 14814 bja.gov. ARnypM5e3OrEldH4cWv5NAK3v317lPKiOZ8N9RHDUDpD8qrK9DOwno+X Us9AYdr3iWqN6W/nOdaPk2GAf/gtIdupN1kfC8HqHp3/wRUC1uDZDqIz YpET2yKiFL3x/I6o2cPPuHfIrvc4ipVKfiJKKtKOF/a80Gcxgz5pnkpK jS0=
bja.gov.                196     IN      RRSIG   AAAA 8 2 600 20190527153708 20190517144827 20403 bja.gov. RUmoc1shunBYe9H4uIuFhaD1L8ezwAlh0q7GIZOYiA02eXoONfmeEoWx htIjzwh8rujONsFcsWciOPcVX94wliVZLdsDxKVyMs2FOyydIkV7tBLI u8mkvNI4CroS7kI1rM7uPqR6+3aluyY5+GSleV0Fzywzc5elGjd/70k/ 2vA=
bja.gov.                431597  IN      DNSKEY  257 3 8 AwEAAbWfYGtCSKR9pNPWmybECQN1Z+ChAjVfX2vpccjKXql7uOz2MNE9 NddY5hXUDnl9iqWQdlMD37+PiW3K91z4r9KUtYDfusBn3NLCbj8bMvB6 oj2XrlM8HAHM7/hcAGPxn81l0ClGezsbLROHWi143t0iK5u52x14Xun6 TaV2io0+FEhsFLaPbuwUX4FFmBe6g2Oq43pz0eCoUlwCsziMphg6UZb6 ZAAQEmQidACpkmfuxHFMZnYUASA4yJ0YuMDCmHkjIKCZaK91xLzV3GUr q921sQ/gnOETqjdf/TsuwTbA8Y2Dt+EiRzoMpPzzOM8FfhDvFdPexdX+ AMreuUv/MBc=
bja.gov.                431597  IN      DNSKEY  256 3 8 AwEAAabP2zotlFumiQESu2sBUITDIA9S5XiO7nT55mNpLaEKDRfu/RBW HBPZf0/pOi+WcK4E2NB+34uLTsdkquO7Xo/TEIsKfdEli3WXvWXkiHl1 fgNnUhPbXy/0d3QDj3R/vFQbdKxtnnQpjWQkFDoNrtv6cSB/fXskjOpY AJxgQcq3
bja.gov.                431597  IN      DNSKEY  256 3 8 AwEAAbg3/rmkHOJIRSUafOoyL6L78RjvDxKr+HBSOKP0Sd5Y4HRrBDwa Omas4Uj76ddxU50fJaQJ/bgNjL/IDt1JhC7RAwadiKyY6BLepA/RX5cV j+ZPBuNRuTT5STfE64VpS6+wPUruKgnp4e+zJPLrgRPvrhFvLvaNPVLq LeH3d7qb
bja.gov.                431597  IN      RRSIG   DNSKEY 8 2 432000 20190528061044 20190518051044 14814 bja.gov. LQpbMwQnePLOwH+Mp6rlLHS+cG7/IKRo7aT8PHW2UrMNzifNayKwiupj FA4b5VbGYKK+Y5w+4mMPVV9vHC4IoZOcy93wd3PFRmuMxFWaHGFqE/95 lXzqP2SsqmgPviuJ2kh5r0ya2BR28g+aZMaogtebAbC7VacdMBNbkKSh Bi8=
bja.gov.                431597  IN      RRSIG   DNSKEY 8 2 432000 20190528061044 20190518051044 20403 bja.gov. qm4utIp3qYqPSKa1ZAK8JqoT92VmhZ8Sc0afui9PQU7jqn8vSS7HM/iG danOdqvzSFY7xLoZeDMh7tukLzl4ZpWJ1LTpgBHMcKs1fOkIEw4e98Cr WZqaZDumqzxMij6sNdeAFtNWjytLh0y9qTIAoC9F/WTxLy334cbpOMfW TZk=
bja.gov.                431597  IN      RRSIG   DNSKEY 8 2 432000 20190528061044 20190518051044 56476 bja.gov. pNkZBOlU8Mfp9xiVi0tfZT4mgM73Kc9HSi8CsrEwq3DW7dEgnvfrUvGb KRWRCzkpEzB99GHnVgBosmjCedBa1m9WmTGe56a5+8eTjNdldNrqlY50 K56eZxoxnGfR9845OjXkLBhKxF39G5UgEXXggITdXwOq1Ard15DUayxd rXS9EWoN31lrLM+u1t73Cw3qBaM58oH34MEQyBhOJlbvjKh9Sb8ZtsK6 rVNK1+1y/+2RtzLGeA1gRo0hZPHfJGUghxBKwVKYxONYOo6ZJlitv85w JA/xiKQkV2YbCy2Qtvj5OkAfgIGLoWPW+5LkKUCjS4KTjYZPxMaISdXZ soB6oQ==
bja.gov.                197     IN      MX      10 mx-da6.usdoj.gov.
bja.gov.                197     IN      MX      10 mx-jdcw.usdoj.gov.
bja.gov.                197     IN      RRSIG   MX 8 2 600 20190528061043 20190518051043 14814 bja.gov. jDIuD96NZEjTPAaqQWVeDMelxlJale/JbwiDMmNHYg8ujkKV5nOCMtHc dYtFEWk67x7ccxgL/g9vJPjZUmhRYiRn8eHEOh48bH0rauUs6DIc7EgA e88BTv+thPz5Vyz4OpvXuhtIL+Oz8R/6oNBltr2zOYKZKt8kpgHKroqM WAY=
bja.gov.                197     IN      RRSIG   MX 8 2 600 20190526192658 20190516190815 20403 bja.gov. BESBxTTy1c53WSclNhshP63xwhSGjuvF6dgGZOTvzeTs6j8AgapU/wno BDAQw9B15FKz/XuW7kEXBcYz2NKeVy6mR8bsxY5T0yxEx6NEIl/04r4i LtvPgdawCj8RNDdMJURkbQgLH2r/oxo9ZKpS1yanxbdcWJudUocU5Fxx zJ0=
bja.gov.                196     IN      NS      ns-jdcw-02.usdoj.gov.
bja.gov.                196     IN      NS      ns-jdcw-01.usdoj.gov.
bja.gov.                196     IN      RRSIG   NS 8 2 600 20190528061043 20190518051043 14814 bja.gov. hSIcIIMPMJUa/jeAqFnDi0gyBdfTWuMt3Kn/m4FDXqNgCCPc6mT+0Qmc b0+0bnpsovRMB57jynm82RbeKew8VRXZXQofTqrScjeVs2bvB+C2ZH7s /zpLoiwhZVnKOLo05mQZwW6qKjrnqpqi/mKov7yoV65F6EvDgytiDwtD Bo8=
bja.gov.                196     IN      RRSIG   NS 8 2 600 20190528040532 20190518032830 20403 bja.gov. rbd/RaIrnV7U/ionxvhn2UUbfwcOVSvOx/utPwBit6KTSejx66ldKr+R eBqyiySoQmjE+O7SRfkMjKOODEgSBBE8CaMb7yIyTKM71ERBPuFHB6Dt ZUVaNa1WTNRDtqoe1fBCWpNvviCD4QmXH3S3V1godTJsxK97/dVGkjBH F58=
bja.gov.                197     IN      TXT     "v=DMARC1;" "p=reject;" "rua=mailto:knickens@iir.com," "mailto:reports@dmarc.cyber.dhs.gov," "mailto:dmarcreports@usdoj.gov"
bja.gov.                197     IN      TXT     "v=DMARC1;" "p=reject;" "rua=mailto:reports@dmarc.cyber.dhs.gov,mailto:dmarcreports@usdoj.gov"
bja.gov.                197     IN      TXT     "v=spf1 include:_spf.usdoj.gov include:public.govdelivery.com -all"
bja.gov.                197     IN      RRSIG   TXT 8 2 600 20190528061043 20190518051043 14814 bja.gov. mf6pbgxgl9lVK+K2Rb0SMdyRqV6bZjsQiy0aN/MZUC//OnJ7VvIWv/fZ lfUXUooY22cPMyk4NMKvdu9vctnHBElfqbKrMl6TZvkrKT/il0Vsa4Nv ys9AqXqRQroznLLyyGoDXzxJO5OVhOmBzZgrR83brOe3YcDtQhzN5JhV 4bQ=
bja.gov.                197     IN      RRSIG   TXT 8 2 600 20190528014738 20190518012500 20403 bja.gov. J5ZAdHey/NDj98WlDUFeRJeZyA/A7f1K7BqC4s+mbsTzUsEZVkCZfnMt wrg6NYwldrDEcYVgiGK2OlF7BDSxoA7YjlQoQyx5HmUIjevvs7gKBBFH PaDsAijkMSiUu0zOKU9vVDF6J1LlRP6RLAqp/9EoMufuJcieW36tPuBQ MRY=
bja.gov.                196     IN      A       149.101.127.10
bja.gov.                196     IN      RRSIG   A 8 2 600 20190528144021 20190518140725 20403 bja.gov. NkrUmfxC2gjP3PbL8YYzp9lRq3mJD761qkNzHYImQ+6ldv5cX/R39h0f 3eyHsYL8pru/V9AybqBiW6p5eNfNiNx+EgM2TqUOh4EYLJLs+oWE7s46 ZtsRqvs3VJ9aQQaJrWApGN1ayAjc+mq3ZkmK77u6Q38oN9ly2iVRtejj qVw=
bja.gov.                196     IN      RRSIG   A 8 2 600 20190528144021 20190518140725 14814 bja.gov. CJc1QRZb/gBZmTX0aBpjQjwxzSD8LtoaGq5cSJjLq7odwm8OIVpqxHBg kdXCVAcudFFDdKIdjIZSTjZyzd1gZk2jzWoR62fRUiqgpD6XTLvJvVTR W5PPEbp4sy5//2Morbl8kM4wvIMlnfWGrIUuGjaCdJtAB6pbY1+ZtS3M 59A=
bja.gov.                196     IN      NSEC3PARAM 1 0 10 CF929DF1C8270DBA7E62B66B
bja.gov.                196     IN      RRSIG   NSEC3PARAM 8 2 600 20190528061043 20190518051043 14814 bja.gov. PfCZC1VV+DceM5J2WS2vUHYg35CR+VyjcF+eqohbZzkr9en/Bb8tV9Qy QccNt+Hk2LHVaTchzhK/rNsRs7lptLY3zveIr8vySo+1+fv9DiXWQTse /1aM4SUiq1OTtN5HRKiIsmKsLuuMfq9EY9oqJ90tiH1cQE4DAFxwWsr9 R3k=
bja.gov.                196     IN      RRSIG   NSEC3PARAM 8 2 600 20190528061043 20190518051043 20403 bja.gov. iU4lfBsMZAbxzov5823QUJ3Y6ByicUTFiSygcp8nB5K3MVfrahOVB7fm zsQdj8mwNr/fnqlLv1ez/arJN2TQNGwNhlwsYM9a/l1uBXQ8FSN5ybr8 YzB0cgDfxHEx/ELHR3pacYzJoIaNzQ0D4MxSjMiWv+YaSPLvcSHmoMio 1S8=

Received 4111 bytes from 127.0.0.1#53 in 100 ms

When the source IP address in the packets gets spoofed to the victim target IP, above reply will have to be dealt with by the target host.
And this times 2000 or so for a proper DDoS.

25

Wouldn't it make sense to have the option to disable the ANY query type in pihole or unbound? It's been deprecated by Cloudflare since 2015 Deprecating the DNS ANY meta-query type and would solve all issues with DDoS over DNS wouldn't it?

26

It would not.

27

Cloudflare is running a public service.
Pi-hole is not intended as a public facing service.
I would rather keep the opportunity to do ANY queries.

28

Ps. thinking about it, you only need a reply thats 512 or 1500 bytes long.
Some TXT records can be pretty long.
More than 512 bytes is when DNS tries EDNS using a larger UDP packet (from wiki).
And 1500 bytes is usually the max for a single UDP packet.
Everything thats larger is of no use as then TCP would kick in.
And with TCP, the reflection part will break in an attack as the TCP 3 way handshake will not complete and the connection dropped pretty quickly.
Not sure if I'm right ?

29

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.