Dnscrypt blacklists block only outgoing DNS query (Valid)

[rugabunda]

I am blocking outgoing domains matching analytics, yet incoming responses from dns servers, which include in the domain "analytics" are not being blocked. Blacklist security/functionality is cut in half. Please also include an option for replies via blacklists

13:19:30 dnsmasq[1211]: query[A] s.update.fbsbx.com from 192.168.50.142 13:19:30 dnsmasq[1211]: forwarded s.update.fbsbx.com to 127.0.0.1 13:19:30 dnsmasq[1211]: reply s.update.fbsbx.com is 13:19:30 dnsmasq[1211]: reply s.agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.20.233.11 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.170.177.215 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.235.44.232 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.194.252.192 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.130.128 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.202.107.183 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.209.97.44 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.173.82.169 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 23.22.178.204 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.103.1

this reoccurs over, and over and over again with every query to s.update.fbsbx.com; According to robotex, S.update.fbsbx.com is a CNAME to s.agentanalytics.com, though it has far more IP addresses than what are listed on their website

Any domain query with the word analyitics was and is being blocked by dnscrypt proxy blacklist, thus could not have been made, but they were being received, indeed they were as you can clearly see above. If I can point you to the source of this query I will; say the word and I will see what I can do to see whats causing it.

I was forced to block "s.update.fbsbx.com" altogether, possibly breaking some legit functionality of whatever it was, while ensuring no reply connection to any domain with "analtytics" data-harvesting.

It is not garbage according to the resolver, once a response is received and cached, any application could use the ip addresses provided, as it appears indeed this fb app / website was doing. Not even dnsmasq could block or forward these incoming replies.

its coming from a laptop @ the residence so I'd have to wireshark their laptop to find out, I will consider doing this so you could potentially test this out for yourself.

@jedisct1 an incredibly sophisticated banking Trojan uses this domain: https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0

The trojan connects to or sniffs s.update.fbsbx.com analytics. And seeing that a banker thief trojan wants access to the analytics over this domain, it doesn't make me feel comfortable with with what may already flowing over this domain to facebook. And they've cleverly disguised it to be immune to one-way wildcard blacklists, like yours.

[jedisct1]

These entries are not within the parent zone and are ignored by all stub resolvers.

[rugabunda]

@jedisct1 If it will fail, and all stub resolvers (that includes windows DNSclient, etc) reject it, why is it being queried to begin with? Makes no sense.

[rugabunda]

@jedisct1 confirmed while browsing facebook on a desktop in Chrome. To reproduce, create/login to a facebook account, browse.

[rugabunda]

@jedisct1 furthermore agentanalytics.com is outsourced, and not owned or run by facebook. The doman is run by an organization called "White Ops, Inc".

https://otx.alienvault.com/indicator/hostname/agentanalytics.com https://www.threatcrowd.org/domain.php?domain=agentanalytics.com