Zip domains a bad idea

This is a little scary:

see the two GitHub examples about ½ way down.

Time to block all *.zip and *.mov domains?

4 Likes

This maybe easy with proxy
With something like *.zip and *.mov
Any suggestions without proxy?

I don’t have a good answer. But someone is trying to create a list of zip domains and their IP addresses.

This looks like it could be a start for an IPSet list!

1 Like

You can use DNS Forwarding. Just enter zip as zone, something that will never answer as server (127.1.2.3 for example), Enable, Disable DNSSEC. Then do the same for mov.

I’m not sure this is a huge problem however, the people vulnerable to this are likely to fall prey to many other “easier” scams, too.

1 Like

IPFire WEB Home/Network/DNS Forwarding

Add there the zip and the mov as new entry
Use 0.0.0.0 for fast response .

1 Like

@trash-trash - can you click on the edit (the pencil) and post a screen shot of the larger firewall rule page? I have a terrible time understanding the mini version of a firewall rules.

Thank you!

1 Like

I don’t think you need a firewall rule for this
They are using the DNS forward tab
so if I understand this right.
Zone = * .zip (* wildcard / anything ).zip
Name server 127.1.2.3 (loop back address will get no response)
generaly the only loop back address used is 127.0.0.1 local host
and apparently 0.0.0.0 an invalid ip so it will work the same?
0.0.0.0 is sometimes all ip’s like * . * . * . * would be

DNSSEC disabled (because not Valid)

Assuming only disables DNSSEC for that domain
so all requests go into loop back black hole.
hope I have this right

D’oh!
:face_with_peeking_eye:
I am an idiot!

I’ll look at the DNS Forwarding. I am worried about disabling the DNSSEC (which I don’t want to do!)

Does this need updated? the last bit about “Open console”
can this be done from the WUI
without the manual modifications

maybe (I need to read through it!). If you see something incorrect feel free to add or change.

I tired a few different things with DNS Forward and I get getting

DNS forward configuration

Error messages

Invalid domain name.

Keep in mind I know little to nothing about DNS Forward

1 Like

Perhaps the error is correct.
and the wiki is correct.
you would need to add it threw the console per the wiki
Perhaps Stefan would know.

@jon
Hi Jon
Adding zip and mov to DNS Forward works? Or is there any error?
On my side, I had no error and the test result works. I tested others for check function too.

Just type zip into Zone and the IP 0.0.0.0 or IP 127.0.0.1 into Nameservers.
Enabled and Add / Save
Same for mov
No need for DNSSEC because we just block those two top domains. No need for any checks.

BR
Trash

All of my tests included wildcards (e.g., *.zip). I give it a try with jus zip. I am curious, what did you do to test this?


EDIT: it looks like this is what is changed (see stub-zone):

[root@ipfireAPU bin] # cat /etc/unbound/forward.conf
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!

server:
	qname-minimisation-strict: yes

stub-zone:
	name: zip
	stub-addr: 0.0.0.0

forward-zone:
	name: "."
	forward-tls-upstream: yes
. . .

As you can see at last screenshot of DNS Forwarding, I just added for tests “com net org” and furthermore of top domains.
Sites that I was not browsing them before I startet the test, ends with no result… timeout.

Remember please, that you computer have IPs in the cache, that need to be cleard. Maybe disconnect network for a short time and reconnect, or reboot the computer where you are testing.

The reason why I do not use 127.0.0.1 at this point, ist that the clients gets no a localhost reference info, so they do not try search further.

Furthermore I tried by a live linux on DVD, to serve some zip sites in an isolatet network … All tests go in time out too.

BR
Trash

FYI - with Disable DNSSEC the forward.conf looks like this…

[root@ipfireAPU bin] # cat /etc/unbound/forward.conf
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!

server:
	qname-minimisation-strict: yes

stub-zone:
	name: zip
	stub-addr: 0.0.0.0

server:
	domain-insecure: zip
forward-zone:
	name: "."
	forward-tls-upstream: yes
. . .

Test this please:

/var/ipfire/dnsforward/conf

on,zip,0.0.0.0,block top domain *.zip,off
on,mov,0.0.0.0,block top domain *.mov,off

To test any other simply enter an other top domain.
Example to make it easy:
on,com,0.0.0.0,block top domain *.com,off
on,net,0.0.0.0,block top domain *.net,off

BR
Trash

Ok I thinK I under stand why this can and should be
Just "zip"Not * .zip
I am confusing web site address / names with the Domain.
Google .com
“com” is the Domain
My ipfire router is “ipfire.localdomain”
“localdomain” is domain
ipfire is equivalent to Google

So if ihave 2 ipfires with a N2N tunnel
1 named "ipfirehome.shaunhome
2 named "ipfirework.shaunwork

I would add work in the DNS forward to ipfire.shaunhome

@hvacguy

You are good, you had good explaind.

My DNS Forward have the info for:
localhost.localdomain.local.
ipfire.localdomain.local.

localhost = 127.0.0.1
ipfire = 127.0.0.1
localdomain = 127.0.0.1
local = 127.0.0.1
My “root ns .” = 127.0.0.1

Please note: Never use other domainname when you are not the owner! And owner of your own Name Server! Or had set that domain locally to 127.0.0.1 .

At old forum of ipfire org it was explaind excellently.

So if you are not the owner of example.com or example.net etc. do not choose ipfire.example.com for your Firewall. In some cases you will share informations to that domain. So avoid do so.
Keep using ipfire.localdomain.local this is safe.

Sorry for my bad English.

Edit:
two correction done to typo.

@hvacguy
In this case of your example we take ex. [www.google.com.]
www ist the sub domain an web-server and in other words an (( localhost at that maschin ))
google is the domain and in other words the localdomain
com is the top level domain TLD and in other words the local
. is the root name server

BR
Trash

1 Like

This is such an interesting topic, I can’t believe I missed this :slight_smile:

Google Domains who appears to be the exclusive registrar was sold to Square Space,

and this list of all ZIP domains was taken down by Github, I wonder why ???

Sofar I only found 2 ZIP domains
community DOT z i p
url DOT z i p

dot zip Name servers:
ns-tld1.charlestonroadregistry.com 216.239.32.105
2001:4860:4802:32:0:0:0:69
ns-tld2.charlestonroadregistry.com 216.239.34.105
2001:4860:4802:34:0:0:0:69
ns-tld3.charlestonroadregistry.com 216.239.36.105
2001:4860:4802:36:0:0:0:69
ns-tld4.charlestonroadregistry.com 216.239.38.105
2001:4860:4802:38:0:0:0:69
ns-tld5.charlestonroadregistry.com 216.239.60.105
2001:4860:4805:0:0:0:0:69

I find it interesting that half of the ip addresses have already been reported for hacking and other activity.