OpenDNS Forums
The official support and discussion site of OpenDNS
Support
K-12 Forums
Categories
- Administrative
- Adult site blocking
- DNS-O-Matic / dynamic IPs
- Domain blocking
- Domain Name System (DNS) troubles
- Mobile instructions
- OpenDNS services
- Proxies, accelerators, and more
- Router instructions
- Satellite
- Shortcuts
- Wishlists and feature requests
-
Feeds
Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.
This discussion has been inactive for longer than 30 days, and is thus closed.
-
Does anyone know why opendns thinks pool.nt.org is malware site?
1 pool.ntp.org Malware 10
This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites . -
Are you referring to pool.nt.org or pool.ntp.org? One is not in the OpenDNS records the other is not tagged as malware.
-
typo it should be pool.ntp.org
-
pool.ntp.org is tagged software/tech not malware so OpenDNS should not flag it up as malware. You may want to check your machine in case it has been hijacked and something is trying to redirect you to a malware site when you attempt to reach pool.ntp.org.
-
Also is the error message from OpenDNS or your own virus software? pool.ntp.org has several different ip addresses that change depending on your location, one of these may be incorrectly listed as a possible malware site in your anti virus software.
-
- CommentAuthormaintenance
- CommentTimeAug 6th 2012
pool.nt.org, on the other hand, is a parked domain. Not sure why either would come up as malware right now. -
Just to fill in some blanks. The ip address 82.98.86.170 associated with pool.nt.org
(not pool.ntp.org) does have prior associations with RBN and spam activity. It may have been set up to catch people accidentally typing this address like in your first post. -
I use (a subdomain of) pool.ntp.org as my regular timeserver, and it's not being blocked for me.
-
thanks birkira but I stated previously that I had mistyped pool.nt.org instead of pool.ntp.org so obviously that is not the case
I didnt say is was blocked it turn up as "Malware/Botnet Activity Detected" on the opendns website dashboard. -
If it comes up this way, it was blocked, of course. So it apparently was pool.nt.org.
-
Appears just recently pool.ntp.org was added as malware as I have 826 requests blocked for pool.ntp.org as a malware site. I also am wandering why this is. It was not blocked last week.
-
- CommentAuthormaintenance
- CommentTimeAug 6th 2012
Odd. I still get no indication that it is blocked as a malware domain.
; <<>> DiG 9.3.2 <<>> pool.ntp.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 759
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pool.ntp.org. IN A
;; ANSWER SECTION:
pool.ntp.org. 376 IN A 173.244.211.10
pool.ntp.org. 376 IN A 75.144.11.42
pool.ntp.org. 376 IN A 69.122.22.85
;; Query time: 46 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Mon Aug 06 14:14:00 2012
;; MSG SIZE rcvd: 78 -
Ok, I just checked all ten variations of pool.ntp.org that OpenDNS has in its tagging database and none of them are marked as or even have as little as one vote towards malware. Those having an issue need to ask support for an answer as clearly it is not happening to all users.
-
Certainly worth looking into. Our OpenDNS dashboard lists four ntp.org queries (for today) as blocked (two each, from two of our sites), with the reason in each case being "malware".
0.pool.ntp.org
2.pool.ntp.org
2.north-america.pool.ntp.org
0.centos.pool.ntp.org -
Again none of these sites are tagged as malware when you search for them in the tagging database and none appear in any of my OpenDNS based networks as malware. Please contact support. When support has given an answer let us all know as it is an intriguing mystery for some as well as an inconvenience for other users.
-
"none of these sites are tagged as malware when you search for them in the tagging database"
Malware domains generally are not tagged as such in the domain tagging system. This is a different database. -
You are right but as a malware moderator I can see that database as well.Thankful People: rotblitz
-
This is still showing as malware. Any idea why?
---------------------------
7 pool.ntp.org 358
This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites .
--------------------------- -
@nmcsafety
Post the complete plain text output of the following commands here (trailing dots are part of them!):
nslookup -type=txt debug.opendns.com.
nslookup pool.ntp.org. -
Please post the output of the commands that rotblitz has posted above.
-
I'll post some nslookup output. (Our own addresses sanitized out of habit.) Posting the two nslookups you requested, but our reports don't list pool.ntp.org as being malware, so I'm also posting an nslookup for one that is (0.pool.ntp.org).
So it appears that pool.ntp.org lookups are succeeding, but that (in our case) the Dashboard is erroneously reporting them as being blocked. Puzzling. Here's that output.
**********
$ nslookup -type=txt debug.opendns.com
Server: 10.1.2.3
Address: 10.1.2.3#53
Non-authoritative answer:
debug.opendns.com text = "server 4.pao"
debug.opendns.com text = "flags 20 0 7e6 100000000000"
debug.opendns.com text = "id 8807571"
debug.opendns.com text = "source 204.72.79.220:22016"
Authoritative answers can be found from:
$ nslookup pool.ntp.org
Server: 10.1.2.3
Address: 10.1.2.3#53
Non-authoritative answer:
Name: pool.ntp.org
Address: 69.167.160.102
Name: pool.ntp.org
Address: 96.44.142.5
Name: pool.ntp.org
Address: 199.4.29.166
$ nslookup 0.pool.ntp.org
Server: 10.1.2.3
Address: 10.1.2.3#53
Non-authoritative answer:
Name: 0.pool.ntp.org
Address: 208.87.104.40
Name: 0.pool.ntp.org
Address: 71.170.175.35
Name: 0.pool.ntp.org
Address: 71.238.226.18 -
"So it appears that pool.ntp.org lookups are succeeding, but that (in our case) the Dashboard is erroneously reporting them as being blocked."
You're correct somehow...
-
(with chuckle) Which leaves the three-part question: Does OpenDNS in fact think it needs to block ntp.org sites, and if so, why isn't it doing so, and why does it (incorrectly) report them as having been blocked as malware?
I'm so confused. -
AdministratorWell, let's see:
#1: If only a certain IP/server that hosts the domain has malicious content on it, then requests that result in resolution to that server/IP will be blocked - only specific instances of the requests will be blocked. Does the domain have rotating server/IPs? Was a bad one pulled out and no longer used?
#2: If the Stats that are being pulled for your networks are old, then you may be looking at a time when there was a false positive or a time when there was a positive hit for our Malware listing; the domain is no longer tagged so requests to it are not blocked any longer.
If you're still having concerns about this issue, please open a support ticket, and we'll have our support engineers look into it: https://dashboard.opendns.com/support/ -
"Does the domain have rotating server/IPs?"
Oh yeah! Even excessive! Your explanations most likely caught it. -
Unfortunately there are 1000s of servers for the NTP service which uses a 'DNS round robin to make a random selection from a pool of time servers who have volunteered to be in the pool.'
-
- CommentAuthorskynetsolutions
- CommentTimeAug 16th 2012
Add us to the list, from our MSP dashboard:
pool.ntp.org Malware 5
This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites.
0.pool.ntp.org Malware 17
This malware site was blocked for your protection. You can make an exception for this domain or stop blocking malware sites. -
"You can make an exception for this domain"
What a good proposal! Why not follow it? -
- CommentAuthorskynetsolutions
- CommentTimeAug 16th 2012 edited
"What a good proposal! Why not follow it?"
If that was aimed at us, then we had already made an exception. I was just sharing that we were seeing the issue too.
No need to be crass. -
This wasn't meant to be crass. As birkita said above, there are thousands of servers under this domain, nearly everybody can apply to operate an NTP server under the pool.ntp.org domains. And this is occasionally misused by certain people to do their malicious "work".
And when it comes to the point and "If only a certain IP/server that hosts the domain has malicious content on it, then requests that result in resolution to that server/IP will be blocked (zelus)", due to the IP address rotation a subdomain can land by chance on such a bad IP address again. And this is good as it is, because it protects you. Not the domain itself is blocked then, but the underlying IP address a certain subdomain resolves to at a certain time.
As said, you have the following options with your settings:
- Generally don't block malware/botnet (under Security settings)
- Or whitelist pool.ntp.org or even ntp.org
- Or live with the fact that *.pool.ntp.org is (only) occasionally blocked.Thankful People: birkita
1 to 30 of 30
This discussion has been inactive for longer than 30 days, and is thus closed.