search

DNSCrypt / dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
https://dnscrypt.info
ISC License
11.45k stars 1.01k forks source link

nx.log! #366

Closed gcpmusic closed 6 years ago

gcpmusic commented 6 years ago

I have set nx.log in the .toml config but is not clear to me if this entries are blocked or just info. Thanks gC

VindicatorDS commented 6 years ago

nx.log is for non-existent domains, i.e., dns queries not blocked by dnscrypt-proxy and that returned a no such domain answer

Edit: Check this: https://security.stackexchange.com/questions/159560/how-does-malware-use-unregistered-domains

gcpmusic commented 6 years ago

Thank you for the reply. So for my understanding, is better to block this entries?

In my nx.log I have this: [2018-04-15 17:53:41] 127.0.0.54 prg.smartadserver.com A [2018-04-15 17:53:41] 127.0.0.54 yieldlove-d.openx.net A [2018-04-15 17:53:41] 127.0.0.54 eu-u.openx.net A [2018-04-15 18:17:05] 127.0.0.54 ocsp.digicert.com A [2018-04-15 18:17:05] 127.0.0.54 cs9.wac.phicdn.net

VindicatorDS commented 6 years ago

Blocking the entry also returns a no such domain as well. So blocking wouldn't accomplish anything.

These entries are more informative than anything. They could be false positives, i.e., a bug in the application that causes it to query the wrong domain, or an app that's still trying to use a no longer valid domain, or, they could be related to malware.

The best you could is to inspect the client and\or app that's querying that domain. And if you really want to do something about it (not recommended unless you know what you're doing), you could sink these entries, i.e., to 127.0.0.1 or ::1 (and that's assuming it's malware and following the "normal" behavior.

Edit: If it's malware and with the reversed behaviour, this is, 1 - do nothing if dns returns a no such domain\answer and 2 - cause havoc if dns returns an answer, then you would be doing more harm than good by sinking these entries.

gcpmusic commented 6 years ago

Thank you.

iWARR commented 6 years ago

@gcpmusic

From your list above you can block all this ad/tracking trash, except the one.

ocsp.digicert.com - This is one of the possible hosts (Digicert) for actual certificate updates. One of the very first OS connections after booting. Critical LSASS system process used (often even earlier and faster then your Antivirus may load). Never block OCSP updates, or your serts will obsolete.

gcpmusic commented 6 years ago

Thank you.

iWARR commented 6 years ago

@gcpmusic You are welcome :) And don't bother a lot within nx.log, it has many "fake"/"empty" reactions.