Page 1 of 1

DNS xxx.ddns.net

Posted: Fri Jan 18, 2019 7:46 pm
by wispmikrotik
Hi,

I am seeing in my mikrotik router some connection to dns "k3yhol3.ddns.net", this dns has the IP 0.0.0.0.

Linux (nslookup):

Non-authoritative answer:
Name: k3yhol3.ddns.net
Address: 0.0.0.0

ping web:

Image

What's up with this domain? I do not understand anything, if someone can help me ...


Regards.

Re: DNS xxx.ddns.net

Posted: Fri Jan 18, 2019 8:22 pm
by anav
Please post your config
/export hide=sensitive file=mylatestconfig

It will help determine how your DNS and firewall rules are setup.
We may also want to consider redirect NAT rules for DNS.

Re: DNS xxx.ddns.net

Posted: Fri Jan 18, 2019 8:41 pm
by wispmikrotik
Please post your config
/export hide=sensitive file=mylatestconfig

It will help determine how your DNS and firewall rules are setup.
We may also want to consider redirect NAT rules for DNS.
Hi anav,

Thanks. export:
# jan/18/2019 20:37:41 by RouterOS 6.44beta54
# software id = 06GQ-R3YM
#
/interface bridge
add name=loopback protocol-mode=none
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    group-key-update=30m management-protection=allowed mode=dynamic-keys \
    name=p_AP supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    ampdu-priorities=0,1,2,3,4 band=2ghz-onlyn basic-rates-a/g="" \
    basic-rates-b="" bridge-mode=disabled disabled=no distance=indoors \
    frequency=2452 ht-basic-mcs="" ht-supported-mcs="mcs-3,mcs-4,mcs-5,mcs-6,m\
    cs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" \
    hw-protection-mode=cts-to-self installation=indoor mode=ap-bridge \
    radio-name="" rate-set=configured security-profile=p_AP ssid=INVI \
    supported-rates-a/g="" supported-rates-b="" wireless-protocol=802.11 \
    wps-mode=disabled
/ip pool
add name=pool_lan ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=pool_lan disabled=no interface=wlan1 lease-time=\
    1d name=dhcp_lan
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=192.168.88.1/24 interface=wlan1 network=192.168.88.0
add address=192.168.240.100 interface=loopback network=192.168.240.100
/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether1 use-peer-dns=\
    no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set servers=1.1.1.1,208.67.220.220
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=valb01
/system ntp client
set enabled=yes primary-ntp=52.209.118.149 secondary-ntp=163.172.61.210
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
If you make a ping or solve the domain that resolves to you?

Regards.

Re: DNS xxx.ddns.net

Posted: Fri Jan 18, 2019 8:47 pm
by anav
I am not familiar with 1.1.1.1 is that a legitimate DNS server??

Overall your setup is missing so many things and most of all any firewall rules.
I suggest you download the latest stable firmware 6.43.8 and reset to defaults.

For example
missing an IP pool
missing a DHCP-SERVER NEWORK
no firewall filter rules
no firewall nat rules
no IP route rules
and many others.......

Re: DNS xxx.ddns.net

Posted: Fri Jan 18, 2019 8:54 pm
by wispmikrotik
I am not familiar with 1.1.1.1 is that a legitimate DNS server??

Overall your setup is missing so many things and most of all any firewall rules.
I suggest you download the latest stable firmware 6.43.8 and reset to defaults.

For example
missing an IP pool
missing a DHCP-SERVER NEWORK
no firewall filter rules
no firewall nat rules
no IP route rules
and many others.......
Hi,

IP 1.1.1.1 is cloudfare.
https://blog.cloudflare.com/announcing-1111/
Regarding the rules of the firewall, they are not necessary, since in front of the mikrotik there is a firewall that blocks all unwanted input/forward traffic.

Can you try to resolve the domain k3yhol3.ddns.net by ping and tell me if an IP responds?

Regards.
I appreciate your help.

Re: DNS xxx.ddns.net

Posted: Tue Jan 22, 2019 12:38 am
by Takv
Localhost... So strange.

Enviado desde mi Mi A2 mediante Tapatalk


Re: DNS xxx.ddns.net

Posted: Tue Jan 22, 2019 12:45 am
by Takv
https://otx.alienvault.com/indicator/do ... 3.ddns.net

Enviado desde mi Mi A2 mediante Tapatalk


Re: DNS xxx.ddns.net

Posted: Tue Jan 22, 2019 10:51 am
by Jotne
Localhost... So strange.

Not strange at all. When you register a DNS name, you can add any IP you like.
So some has registered k3yhol3.ddns.net with IP 127.0.0.1


I can register myserverhome.dyndns,com with IP 127.0.0.1 but why should I do that is an other question.

Re: DNS xxx.ddns.net

Posted: Tue Jan 22, 2019 4:09 pm
by Takv
Exactly

Enviado desde mi Mi A2 mediante Tapatalk


Re: DNS xxx.ddns.net

Posted: Fri Jan 25, 2019 8:00 pm
by Jcon
Google `k3yhol3`
It sounds like you may have something on your network you'll want to get rid of. Sounds like whatever it is, it keeps checking that domain for a valid IP. And once it has it... it will start its process. Be it transferring data... performing a DDoS attack.... not good.
Burn it with fire... quick.