NS watch/blacklist sometimes fails #6822
Comments
|
So far, unable to repro. This is a pattern I have observed multiple times in the past but the basic logic is already working correctly. |
|
@teward Do you see DNS errors around these posts? Another one just now https://metasmoke.erwaysoftware.com/post/352301 |
|
This issue has been closed because it has had no recent activity. If this is still important, please add another comment and find someone with write permissions to reopen the issue. Thank you for your contributions. |
|
Yet another: https://metasmoke.erwaysoftware.com/post/361856 |
|
Yet still another: https://metasmoke.erwaysoftware.com/post/368235 |
|
Another, I guess? https://metasmoke.erwaysoftware.com/post/368913 |
|
IDNA trouble: https://metasmoke.erwaysoftware.com/post/369464 should have triggered on watched NS mihanwebhost.com |
|
Another: https://metasmoke.erwaysoftware.com/post/372088 (vaguely at the same time as Metasmoke went down briefly, but I don't think it's related to that; should have matched on watched IP, too). |
|
Yet still another: https://metasmoke.erwaysoftware.com/post/373871 |
|
https://metasmoke.erwaysoftware.com/post/381157 unrelated reasons? |
|
Something really weird going on with outlookindia.com, the site www.outlookindia.com has a separate set of NSes but I can't match on that either. https://metasmoke.erwaysoftware.com/post/382637 |
|
Ditto for caramellaapp.com in e.g. https://metasmoke.erwaysoftware.com/post/383062 |
I have never seen DNS errors in the system on this. However, what needs to be known is that to do forced subdomain stuff and picking up proper subdomain detections to base TLD and such is "what is the base tld?" and I mention this because things like If you can suggest a proper way to extract the base domain and then do stuff with that for subdomain queries then it's a simple call to the resolver libraries we're using for the base domain. That's not something that I'm going to write though, I don't have the spare cycles for it. |
|
Are you sure that's an instance? Specified domain's NS records are Cloudflare, are we flagging Cloudflare as suspicious now? |
|
@teward Cloudflare specifies a particular NS pair for each individual client, the NS watches and blacklists we have in place target a large number of these particular pairs (and in fact the collection of Cloudflare pairs dominate both of these files). This domain has the NS pair chance.ns.cloudflare.com. ullis.ns.cloudflare.com |
|
https://metasmoke.erwaysoftware.com/post/401016 - weirdly the previous one https://metasmoke.erwaysoftware.com/post/401012 had "potentially bad NS" |
|
Tangentially, https://metasmoke.erwaysoftware.com/post/402479 should have matched both IP address and name server, but bypassed those checks apparently because of the link obfuscation. |
|
https://metasmoke.erwaysoftware.com/post/411601 is more straightforward and should be easy to fix. |
|
Weirdly, IP lookup failed on https://metasmoke.erwaysoftware.com/post/412865 |
|
https://metasmoke.erwaysoftware.com/post/417301 and https://metasmoke.erwaysoftware.com/post/417302 (same spam reported again; still no NS). |
|
Tangentially https://metasmoke.erwaysoftware.com/post/418986 |
tripleee
changed the title
|
https://metasmoke.erwaysoftware.com/post/422997 bare IP addresses are blacklisted but still not detected |
|
Blacklisted IP not reported: https://m.erwaysoftware.com/posts/uid/meta/389525 |
|
https://metasmoke.erwaysoftware.com/post/431658 didn't trigger for Brenda+Theo (tutuapp.uno) |
|
https://metasmoke.erwaysoftware.com/post/463575 weirdly didn't trigger even though both www.nimbleappgenie.com and nimbleappgenie.com resolve to 148.66.136.188 (which has been watched for a long time, but which I am now promoting to blacklisted) |
What problem has occurred? What issues has it caused?
Domains with a subdomain bypass NS checks (originally, I thought anything with
www.before the server name, but it seems to be more complex actually).Recent example, www.eduauraa.com should trigger watched NS but doesn't.
https://metasmoke.erwaysoftware.com/post/352164
What would you like to happen/not happen?
NS watches and blacklists should trigger predictably.
The text was updated successfully, but these errors were encountered: