Re: [NSE] New script dns-blacklist

[Duarte Silva <duarte.silva () serializing me>]

On Sunday 08 January 2012 10:24:37 Patrik Karlsson wrote:
> On Sun, Jan 8, 2012 at 4:05 AM, David Fifield <david () bamsoftware com> wrote:
> > On Mon, Jan 02, 2012 at 11:31:09AM +0000, Duarte Silva wrote:
> > > Hi Patrik,
> > >
> > > I added two new DNSBL providers, one for TOR nodes [1]
> > >
> > > [1] https://www.dan.me.uk/dnsbl
> >
> > For Tor, let's see if we can use the Tor Project's exit list directly,
> > rather than some third party that is just querying them anyway.
> >
> > https://www.torproject.org/projects/tordnsel.html

I don't think they are only querying TorDNSEL. I'm pretty sure they're using 
the servers descriptors directory directly [1][2] (that's what I would).

> > The main difference is whether an address can be considered an exit node
> > depends on the address and port you are relaying to, so those are part
> > of the query. Apparently TorDNSEL also does active probing to find out
> > if relays' behaviour actually matches their stated exit policy.

> From the documentation of the service:

"Previous DNSELs scraped Tor's network directory for exit node IP addresses, 
but this method fails to list nodes that don't advertise their exit address in 
the directory. TorDNSEL actively tests through these nodes to provide a more 
accurate list."

I think it's quite uninformative service compared to the third party one, even 
though, it does actually check if the relay is a exit node and it may be able 
to find nodes that aren't listed.

> As far as I can tell the first service also allows us to query for entry
> nodes. I'm not sure what we want/need and leave that up to the Tor experts.
> If we only want exit nodes, the official Tor Project service is obviously a
> better source.

It depends on what you want. If you want to know, "my corporate <insert 
resource name here> was attacked, should I have blocked that IP address?", 
then the exit nodes, is in part only what you want to know. If you want to 
perform deeper investigations, then it might also be interesting to check for 
relays.

> > Another possibly more efficient way is to download the whole relay list
> > once, and then compare each target address against the list. This also
> > has the advantage of not needing to disclose the target's address to the
> > exit list operator.
> >
> > https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=74.207.254.18

You are disclosing the target IP address in all the DNSBL's. If one cares 
about it, then he really shouldn't be using the script =P

> > David FIfield
>
> While I agree with it being more efficient it should probably go into it's
> own script as it's not DNSBL?

I agree.
 
> Cheers,
> Patrik

In the attachments follows a patch with some minor changes/fixes and the added 
TorDNSEL provider has specified in [3].

[1] https://www.torproject.org/docs/tor-doc-relay.html.en#check
[2] http://194.109.206.212/tor/status-vote/current/consensus
[3] https://www.torproject.org/projects/tordnsel.html.en

Regards,
Duarte Silva

Attachment: dnsbl.patch
Description:

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/