Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorrungu
    • CommentTimeAug 6th 2012
     permalink
    Does anyone know why opendns thinks pool.nt.org is malware site?

    1 pool.ntp.org Malware 10

    This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites .
    • CommentAuthorbirkita
    • CommentTimeAug 6th 2012
     permalink
    Are you referring to pool.nt.org or pool.ntp.org? One is not in the OpenDNS records the other is not tagged as malware.
    • CommentAuthorrungu
    • CommentTimeAug 6th 2012
     permalink
    typo it should be pool.ntp.org
    • CommentAuthorbirkita
    • CommentTimeAug 6th 2012
     permalink
    pool.ntp.org is tagged software/tech not malware so OpenDNS should not flag it up as malware. You may want to check your machine in case it has been hijacked and something is trying to redirect you to a malware site when you attempt to reach pool.ntp.org.
    • CommentAuthorbirkita
    • CommentTimeAug 6th 2012
     permalink
    Also is the error message from OpenDNS or your own virus software? pool.ntp.org has several different ip addresses that change depending on your location, one of these may be incorrectly listed as a possible malware site in your anti virus software.
  1.  permalink
    pool.nt.org, on the other hand, is a parked domain. Not sure why either would come up as malware right now.
    • CommentAuthorbirkita
    • CommentTimeAug 6th 2012
     permalink
    Just to fill in some blanks. The ip address 82.98.86.170 associated with pool.nt.org
    (not pool.ntp.org) does have prior associations with RBN and spam activity. It may have been set up to catch people accidentally typing this address like in your first post.
    • CommentAuthorrotblitz
    • CommentTimeAug 6th 2012
     permalink
    I use (a subdomain of) pool.ntp.org as my regular timeserver, and it's not being blocked for me.
    • CommentAuthorrungu
    • CommentTimeAug 6th 2012
     permalink
    thanks birkira but I stated previously that I had mistyped pool.nt.org instead of pool.ntp.org so obviously that is not the case

    I didnt say is was blocked it turn up as "Malware/Botnet Activity Detected" on the opendns website dashboard.
    • CommentAuthorrotblitz
    • CommentTimeAug 6th 2012
     permalink
    If it comes up this way, it was blocked, of course. So it apparently was pool.nt.org.
    • CommentAuthorcomminovo
    • CommentTimeAug 6th 2012
     permalink
    Appears just recently pool.ntp.org was added as malware as I have 826 requests blocked for pool.ntp.org as a malware site. I also am wandering why this is. It was not blocked last week.
  2.  permalink
    Odd. I still get no indication that it is blocked as a malware domain.

    ; <<>> DiG 9.3.2 <<>> pool.ntp.org
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 759
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;pool.ntp.org. IN A

    ;; ANSWER SECTION:
    pool.ntp.org. 376 IN A 173.244.211.10
    pool.ntp.org. 376 IN A 75.144.11.42
    pool.ntp.org. 376 IN A 69.122.22.85

    ;; Query time: 46 msec
    ;; SERVER: 208.67.220.220#53(208.67.220.220)
    ;; WHEN: Mon Aug 06 14:14:00 2012
    ;; MSG SIZE rcvd: 78
    • CommentAuthorbirkita
    • CommentTimeAug 6th 2012
     permalink
    Ok, I just checked all ten variations of pool.ntp.org that OpenDNS has in its tagging database and none of them are marked as or even have as little as one vote towards malware. Those having an issue need to ask support for an answer as clearly it is not happening to all users.
    • CommentAuthorsweenpac
    • CommentTimeAug 6th 2012
     permalink
    Certainly worth looking into. Our OpenDNS dashboard lists four ntp.org queries (for today) as blocked (two each, from two of our sites), with the reason in each case being "malware".

    0.pool.ntp.org
    2.pool.ntp.org
    2.north-america.pool.ntp.org
    0.centos.pool.ntp.org
    • CommentAuthorbirkita
    • CommentTimeAug 6th 2012
     permalink
    Again none of these sites are tagged as malware when you search for them in the tagging database and none appear in any of my OpenDNS based networks as malware. Please contact support. When support has given an answer let us all know as it is an intriguing mystery for some as well as an inconvenience for other users.
    • CommentAuthorrotblitz
    • CommentTimeAug 7th 2012
     permalink
    "none of these sites are tagged as malware when you search for them in the tagging database"

    Malware domains generally are not tagged as such in the domain tagging system. This is a different database.
    • CommentAuthorbirkita
    • CommentTimeAug 7th 2012
     permalink
    You are right but as a malware moderator I can see that database as well.
    Thankful People: rotblitz
    • CommentAuthornmcsafety
    • CommentTimeAug 8th 2012
     permalink
    This is still showing as malware. Any idea why?

    ---------------------------
    7 pool.ntp.org 358

    This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites .
    ---------------------------
    • CommentAuthorrotblitz
    • CommentTimeAug 8th 2012
     permalink
    @nmcsafety
    Post the complete plain text output of the following commands here (trailing dots are part of them!):
    nslookup -type=txt debug.opendns.com.
    nslookup pool.ntp.org.
    • CommentAuthorbirkita
    • CommentTimeAug 8th 2012
     permalink
    Please post the output of the commands that rotblitz has posted above.
    • CommentAuthorsweenpac
    • CommentTimeAug 8th 2012
     permalink
    I'll post some nslookup output. (Our own addresses sanitized out of habit.) Posting the two nslookups you requested, but our reports don't list pool.ntp.org as being malware, so I'm also posting an nslookup for one that is (0.pool.ntp.org).

    So it appears that pool.ntp.org lookups are succeeding, but that (in our case) the Dashboard is erroneously reporting them as being blocked. Puzzling. Here's that output.

    **********

    $ nslookup -type=txt debug.opendns.com
    Server: 10.1.2.3
    Address: 10.1.2.3#53

    Non-authoritative answer:
    debug.opendns.com text = "server 4.pao"
    debug.opendns.com text = "flags 20 0 7e6 100000000000"
    debug.opendns.com text = "id 8807571"
    debug.opendns.com text = "source 204.72.79.220:22016"

    Authoritative answers can be found from:


    $ nslookup pool.ntp.org
    Server: 10.1.2.3
    Address: 10.1.2.3#53

    Non-authoritative answer:
    Name: pool.ntp.org
    Address: 69.167.160.102
    Name: pool.ntp.org
    Address: 96.44.142.5
    Name: pool.ntp.org
    Address: 199.4.29.166


    $ nslookup 0.pool.ntp.org
    Server: 10.1.2.3
    Address: 10.1.2.3#53

    Non-authoritative answer:
    Name: 0.pool.ntp.org
    Address: 208.87.104.40
    Name: 0.pool.ntp.org
    Address: 71.170.175.35
    Name: 0.pool.ntp.org
    Address: 71.238.226.18
    • CommentAuthorrotblitz
    • CommentTimeAug 9th 2012
     permalink
    "So it appears that pool.ntp.org lookups are succeeding, but that (in our case) the Dashboard is erroneously reporting them as being blocked."

    You're correct somehow... :confused:
    • CommentAuthorsweenpac
    • CommentTimeAug 10th 2012
     permalink
    (with chuckle) Which leaves the three-part question: Does OpenDNS in fact think it needs to block ntp.org sites, and if so, why isn't it doing so, and why does it (incorrectly) report them as having been blocked as malware?

    I'm so confused.
    • CommentAuthorzelus
    • CommentTimeAug 10th 2012
     permalink
    Well, let's see:

    #1: If only a certain IP/server that hosts the domain has malicious content on it, then requests that result in resolution to that server/IP will be blocked - only specific instances of the requests will be blocked. Does the domain have rotating server/IPs? Was a bad one pulled out and no longer used?

    #2: If the Stats that are being pulled for your networks are old, then you may be looking at a time when there was a false positive or a time when there was a positive hit for our Malware listing; the domain is no longer tagged so requests to it are not blocked any longer.

    If you're still having concerns about this issue, please open a support ticket, and we'll have our support engineers look into it: https://dashboard.opendns.com/support/
    • CommentAuthorrotblitz
    • CommentTimeAug 10th 2012
     permalink
    "Does the domain have rotating server/IPs?"

    Oh yeah! Even excessive! Your explanations most likely caught it.
    • CommentAuthorbirkita
    • CommentTimeAug 10th 2012
     permalink
    Unfortunately there are 1000s of servers for the NTP service which uses a 'DNS round robin to make a random selection from a pool of time servers who have volunteered to be in the pool.'
  3.  permalink
    Add us to the list, from our MSP dashboard:

    pool.ntp.org Malware 5
    This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites.

    0.pool.ntp.org Malware 17
    This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites.
    • CommentAuthorrotblitz
    • CommentTimeAug 16th 2012
     permalink
    "You can make an exception for this domain"

    What a good proposal! Why not follow it?
  4.  permalink
    "What a good proposal! Why not follow it?"

    If that was aimed at us, then we had already made an exception. I was just sharing that we were seeing the issue too.

    No need to be crass.
    • CommentAuthorrotblitz
    • CommentTimeAug 16th 2012
     permalink
    This wasn't meant to be crass. As birkita said above, there are thousands of servers under this domain, nearly everybody can apply to operate an NTP server under the pool.ntp.org domains. And this is occasionally misused by certain people to do their malicious "work".

    And when it comes to the point and "If only a certain IP/server that hosts the domain has malicious content on it, then requests that result in resolution to that server/IP will be blocked (zelus)", due to the IP address rotation a subdomain can land by chance on such a bad IP address again. And this is good as it is, because it protects you. Not the domain itself is blocked then, but the underlying IP address a certain subdomain resolves to at a certain time.

    As said, you have the following options with your settings:
    - Generally don't block malware/botnet (under Security settings)
    - Or whitelist pool.ntp.org or even ntp.org
    - Or live with the fact that *.pool.ntp.org is (only) occasionally blocked.
    Thankful People: birkita

This discussion has been inactive for longer than 30 days, and is thus closed.