中文|English

Home page>Industry knowledge>Detail of industry knowledges

Email bounces and hijacked DNS servers

Source:CASA    Date:2014-05-15

Recently some users reveal that when using RBL of China Anti-Spam Alliance (CASA), the email server will refuse all the inbound emails. As far as we can judge, the querier may have used hijacked DNS servers.

First of all, let’s briefly introduce the principle of RBL. Currently the RBL service for spam filter should be called real-time rbl query based on DNS, that is, this service is finished via DNS protocol.

Specifically speaking, when a user wants to query whether one IP (e.g. 11.22.33.44) is in one RBL (e.g. cbl.anti-spam.org.cn).In fact, it is to query whether this address has a resolution: 44.33.22.11.cbl.anti-spam.org.cn (reverse of IP plus RBL address) .There are several types of DNS resolution. As for RBL query, it is to query whether this IP has A record, TXT record or ANY record.

If one IP is listed, a specific resolution result will return. According to different RBLs and queries, the returned result may be a text, one or several IPs, or text and IP at the same time. The returned text usually explains which RBL has listed the IP and where to go for more details. The returned IP has no actual meaning, just identifying query result, e.g. 127.0.0.1, 127.0.0.2, etc.

If this IP is not listed, a query mistake (NXDOMAIN) will return, where DNS hijacking happens. We will explain this later.  

Here we illustrate the query process.

When the IP is not listed, the returned result is MXDOMAIN.

# dig 44.33.22.11.cbl.anti-spam.org.cn.

; <<>> DiG 9.3.3rc2 <<>> 44.33.22.11.cbl.anti-spam.org.cn.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58553
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;44.33.22.11.cbl.anti-spam.org.cn. IN   A

;; AUTHORITY SECTION:
cbl.anti-spam.org.cn.   3600    IN      SOA     cbl.anti-spam.org.cn. wxy.anti-spam.org.cn. 2008061006 14400 3600 14400 3600

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 10 09:28:55 2008
;; MSG SIZE  rcvd: 90
 

When this IP is listedthe returned status is NOERRO and a specific result is given127.0.8.2 here the test address is 127.0.0.2; usually RBL will provide an address for testing RBL.

# dig 2.0.0.127.cbl.anti-spam.org.cn.          

; <<>> DiG 9.3.3rc2 <<>> 2.0.0.127.cbl.anti-spam.org.cn.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5032
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.cbl.anti-spam.org.cn.        IN      A

;; ANSWER SECTION:
2.0.0.127.cbl.anti-spam.org.cn. 10800 IN A      127.0.8.2

;; AUTHORITY SECTION:
cbl.anti-spam.org.cn.   10800   IN      NS      ns1.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10800   IN      NS      ns3.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10800   IN      NS      ns4.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10800   IN      NS      ns5.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10800   IN      NS      ns7.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10800   IN      NS      ns8.anti-spam.org.cn.

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 10 09:31:01 2008
;; MSG SIZE  rcvd: 172

 

The result for querying TXT record is as follows (where the bounces come when listed in RBL):

# dig 2.0.0.127.cbl.anti-spam.org.cn. TXT

; <<>> DiG 9.3.3rc2 <<>> 2.0.0.127.cbl.anti-spam.org.cn. TXT
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21173
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.cbl.anti-spam.org.cn.        IN      TXT

;; ANSWER SECTION:
2.0.0.127.cbl.anti-spam.org.cn. 10800 IN TXT    "Mail from 127.0.0.2 refused, see 
http://anti-spam.org.cn/Rbl/Query/Result?IP=127.0.0.2"

;; AUTHORITY SECTION:
cbl.anti-spam.org.cn.   10675   IN      NS      ns5.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10675   IN      NS      ns7.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10675   IN      NS      ns8.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10675   IN      NS      ns1.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10675   IN      NS      ns3.anti-spam.org.cn.
cbl.anti-spam.org.cn.   10675   IN      NS      ns4.anti-spam.org.cn.

;; Query time: 37 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 10 09:33:06 2008
;; MSG SIZE  rcvd: 255

After we get to know the principle of RBL query, let’s see the reason why RBL hijacking happens.

When many users in China connect to the internet, they will use the DNS of ISPs, among which some need to be set to use, others are distributed via PPPoE or DHCP. In recently years, ISPs have modified the DNS and returned some special IPs when a DNS query has no result, in order to direct users to visit their value-added or partner sites. For example, if you surf the internet via ADSL and enter a void domain into the browser’s address bar, you will be redirected to the portal of the ISP.

Generally speaking, it will do no harm to users, just distorting users’ will and forcing them to visit another site. However, it will bring much trouble to users who use RBL to fight again spam. In this case, all DNS queries will return a valid result, which means, all the inbound IPs are thought to be listed and users cannot receive any emails.

How do we deal with this situation? Here are two ways.

First, use a reliable DNS server which is not hijacked. Many DNS servers of ISPs in China, especially those for Internet connection, are hijacked. Public DNS abroad and those DNS servers which are not hijacked can be considered. But note that you cannot use the DNS which don’t support public resolution, that is, it resolves special domains but not other domains; similarly, root servers (*.ROOT-SERVERS.NET) don't provide the function of public resolution. You can use nslookup or dig or other tools to test whether one DNS server has the function of public resolution and whether it has been hijacked.

You can do the following test if you want to see whether a DNS server is open to query.

# dig sina.com. @A.ROOT-SERVERS.NET.

; <<>> DiG 9.3.3rc2 <<>> sina.com. @A.ROOT-SERVERS.NET.
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63123
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; QUESTION SECTION:
;sina.com.                      IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      H.GTLD-SERVERS.NET.
com.                    172800  IN      NS      I.GTLD-SERVERS.NET.
com.                    172800  IN      NS      J.GTLD-SERVERS.NET.
com.                    172800  IN      NS      K.GTLD-SERVERS.NET.
com.                    172800  IN      NS      L.GTLD-SERVERS.NET.
com.                    172800  IN      NS      M.GTLD-SERVERS.NET.
com.                    172800  IN      NS      A.GTLD-SERVERS.NET.
com.                    172800  IN      NS      B.GTLD-SERVERS.NET.
com.                    172800  IN      NS      C.GTLD-SERVERS.NET.
com.                    172800  IN      NS      D.GTLD-SERVERS.NET.
com.                    172800  IN      NS      E.GTLD-SERVERS.NET.
com.                    172800  IN      NS      F.GTLD-SERVERS.NET.
com.                    172800  IN      NS      G.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET.     172800  IN      A       192.5.6.30
A.GTLD-SERVERS.NET.     172800  IN      AAAA    2001:503:a83e::2:30
B.GTLD-SERVERS.NET.     172800  IN      A       192.33.14.30
B.GTLD-SERVERS.NET.     172800  IN      AAAA    2001:503:231d::2:30
C.GTLD-SERVERS.NET.     172800  IN      A       192.26.92.30
D.GTLD-SERVERS.NET.     172800  IN      A       192.31.80.30
E.GTLD-SERVERS.NET.     172800  IN      A       192.12.94.30
F.GTLD-SERVERS.NET.     172800  IN      A       192.35.51.30
G.GTLD-SERVERS.NET.     172800  IN      A       192.42.93.30
H.GTLD-SERVERS.NET.     172800  IN      A       192.54.112.30
I.GTLD-SERVERS.NET.     172800  IN      A       192.43.172.30
J.GTLD-SERVERS.NET.     172800  IN      A       192.48.79.30
K.GTLD-SERVERS.NET.     172800  IN      A       192.52.178.30
L.GTLD-SERVERS.NET.     172800  IN      A       192.41.162.30

;; Query time: 267 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Jun 10 09:58:33 2008
;; MSG SIZE  rcvd: 498

In the above test, we use root server to query sina.com. The returned result is NOERROR, but there is no ANSWER section to provide a specific IP address, which means this server (A.ROOT-SERVERS.NET.) don’t support public inquiry.

# dig sina.com. @202.106.196.115   

; <<>> DiG 9.3.3rc2 <<>> sina.com. @202.106.196.115
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47283
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;sina.com.                      IN      A

;; ANSWER SECTION:
sina.com.               1978    IN      A       71.5.7.191

;; AUTHORITY SECTION:
sina.com.               1976    IN      NS      ns1.sina.com.cn.
sina.com.               1976    IN      NS      ns2.sina.com.cn.
sina.com.               1976    IN      NS      ns3.sina.com.cn.

;; ADDITIONAL SECTION:
ns1.sina.com.cn.        84804   IN      A       202.106.184.166
ns2.sina.com.cn.        84804   IN      A       61.172.201.254
ns3.sina.com.cn.        84804   IN      A       202.108.44.55

;; Query time: 2 msec
;; SERVER: 202.106.196.115#53(202.106.196.115)
;; WHEN: Tue Jun 10 11:19:13 2008
;; MSG SIZE  rcvd: 155

In the above test, we use a public DNS to query sina.com and the right resolution result returns, which means this server supports public inquiry.

When you use this server to query a domain which does not exist, like sina11111.com:

# dig sina11111.com. @202.106.196.115

; <<>> DiG 9.3.3rc2 <<>> sina11111.com. @202.106.196.115
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48272
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sina11111.com.                 IN      A

;; AUTHORITY SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1213068006 1800 900 604800 900

;; Query time: 697 msec
;; SERVER: 202.106.196.115#53(202.106.196.115)
;; WHEN: Tue Jun 10 11:19:22 2008
;; MSG SIZE  rcvd: 104

Here returns NXDOMAIN, which means this server is not hijacked.

When we use a hijacked DNS (still hijacked when the author did the test) to query a nonexistent domain sina1234122323.com, the returned result is a specific IP 220.250.64.22 (it is an IP of netcom).

# dig sina1234122323.com. @210.22.70.3      

; <<>> DiG 9.3.3rc2 <<>> sina1234122323.com. @210.22.70.3
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43129
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sina1234122323.com.            IN      A

;; ANSWER SECTION:
sina1234122323.com.     3600    IN      A       220.250.64.22

;; AUTHORITY SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1213069571 1800 900 604800 900

;; Query time: 2389 msec
;; SERVER: 210.22.70.3#53(210.22.70.3)
;; WHEN: Tue Jun 10 11:45:29 2008
;; MSG SIZE  rcvd: 125

When you use this DNS to query an existent domain, a right IP address will return. It is nonexistent domain hijacked to a special IP that leads to an error.

Second, verify RBL query results. Basically, all the RBL services return query results, that is, one or several IPs return, and this kind of IPs are usually some reserved IPs which will not appear in normal DNS query,e.g.127.0.0.2,127.0.8.2,etc. At present, most email servers which support RBL query also support verification of the query results. You can set your RBL query based on the query result published by RBL service.

RBL Verification code of this site is as follows:

Name

Address

Test address

Returned code

CBL

 cbl.anti-spam.org.cn

2.0.0.127.cbl.anti-spam.org.cn.

127.0.8.2

Thus, with the increasing seriousness of hijacked DNS in China, you need to make sure whether the DNS you use is hijacked or not when you make RBL query. You’d better set verification codes, which will avoid effects on email service if DNS is hijacked in the future.