Norton DNS test

Discussion in 'other software & services' started by m00nbl00d, Apr 7, 2012.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I was making some tests in a relative's laptop, running Windows 7 Ultimate SP1. When ClearCloud DNS, by Sunbelt, ceased to exist, I configured my relative's connection device to use Norton DNS IP addresses. I did some tests, to make sure it was blocking, and it was.

    Sometime ago, Symantec made changes to Norton DNS, and to block phishing websites, one had to use other set of IP addresses, namely Preferred DNS: 198.153.192.40 and Alternate DNS: 198.153.194.40.

    -https://dns.norton.com/dnsweb/huConfigurePc.do

    Norton DNS gets its data from Norton SafeWeb -https://dns.norton.com/dnsweb/faq.do

    Norton ConnectSafe leverages the Norton Safe Web database. Safe Web contains information on millions of sites and it is queried billions of times each day. Norton ConnectSafe is updated every few minutes with the latest site rating information.

    They now call Norton DNS, Norton ConnectSafe, by the way. Anyway, apparently, Norton DNS/ConnectSafe will be updated every few minutes.

    To my surprise, I thought I had change my relative's configuration to use the IPs I mentioned above, but it was still running the old IP addresses. I had forgotten to modify them. :oops: :D

    So, I altered the IPs, and then rebootd the laptop. I tested Norton DNS with the following domain, which is flagged as being a phishing domain by SafeWeb -https://safeweb.norton.com/report/show?url=omgclothes.com.au

    Norton DNS did not block access to it. Considering that the FAQ page mentions "every few minutes", I waited like 10 minutes. It still wasn't blocking it. 10 minutes is a long time, isn't it? It's more than enough for someone to fall for such fraudulent schemes. :argh:

    Unfortunately, when I tried to access -https://safeweb.norton.com/buzz where one can see more malicious/fradulent websites, I kept getting redirect to the main page, in Google Chrome. If using Internet Explorer 9 I'd remain in that page, but I'd only see the contents of the main page. So, I couldn't test more. If I had to manually verify individual domains, by getting them from third-parties, it would probably take me more time. Time I couldn't waste.

    Now, that I'm on my laptop, using Chromium, I can access it (-https://safeweb.norton.com/buzz)... Odd. o_O

    Anyway, is anyone running Norton DNS, using the above IP addresses? Can you access -https://safeweb.norton.com/report/show?url=omgclothes.com.au. Please, make sure you're not testing it in a production system/unprotected system.

    I'm wondering if there are any problems with Norton DNS? o_O I'm running OpenDNS myself.
     
  2. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)

    Source:
    https://safeweb.norton.com/report/show?url=omgclothes.com.au


    No problems accessing any of the hyperlinks you requested trying.
    Tested with both Microsoft Internet Explorer and SRWare IronPortable.
    The Web Site: "omgclothes.com.au" appears to be under construction according to the Web Sites Home Page.
    Symantec Norton DNS/ConnectSafe rates the Web Site "omgclothes.com.au" as: "Yellow or Caution".
    According to Symantecs' Quote above, Web Sites rated "Caution" are not blocked recommending to "Proceed with caution".


    Tested all three of Symantec Norton DNS/ConnectSafe security policies in both Web Browsers, SRWare IronPortable and
    Microsoft Internet Explorer for the Web Site: "omgclothes.com.au". All three of Symantec Norton DNS/ConnectSafe
    security policies using both Web Browsers displayed all requested hyperlinks and the Web Site: "omgclothes.com.au".

    Symantec Norton ConnectSafe for Home Security Policies
    01] A - Security (malware, phishing sites and scam sites) DNS Servers = 198.153.192.40 and 198.153.194.40
    02] B - Security + Pornography DNS Servers = 198.153.192.50 and 198.153.194.50
    03] C - Security + Pornography + Non-Family Friendly DNS Servers = 198.153.192.60 and 198.153.194.60

    Source:
    https://dns.norton.com/dnsweb/huConfigurePc.do


    McAfee Online SiteAdvisor Results for: omgclothes.com.au
    http://www.siteadvisor.com/sites/omgclothes.com.au


    HKEY1952
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It does flag it as being as phishing website, and the IPs 198.153.192.40 and 198.153.194.40 are meant to block access to phishing websites as well.

    And, what you quoted from Norton SafeWeb...

    ... wouldn't have to necessarily apply Norton DNS, IMO. It should block it. Norton DNS always gives the option to bypass the block, so why not block it?

    Phishtank does report the domain mentioned as being a phishing domain. -https://www.phishtank.com/phish_detail.php?phish_id=1405526

    -http://www.urlvoid.com/scan/omgclothes.com.au
    -https://www.mywot.com/en/scorecard/omgclothes.com.au

    BitDefender TrafficLight also flags it.
     
  4. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    I agree m00nbl00d, the Web Site "omgclothes.com.au" is flagged as being an phishing site, and the:
    01] A - Security (malware, phishing sites and scam sites) DNS Servers = 198.153.192.40 and 198.153.194.40
    are indeed meant to block access to phishing Web Sites.

    I only ran the tests and Posted the results, and questioned those results myself.

    I am still scratching my head because the strickest network for Symantec Norton DNS/ConnectSafe is the:
    03] C - Security + Pornography + Non-Family Friendly DNS Servers = 198.153.192.60 and 198.153.194.60 and it did not
    block the Web Site.


    HKEY1952
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Can you access --https://safeweb.norton.com/buzz ?

    If you can, you may find a few phishind domains, but will for certain find malicious domains. I wonder if it will block them?

    I'd test it myself, but that would mean making changes in my device, and create individual DNS rules for it. :D And, if you're running it already... I think you are, anyway. :blink:

    -edit-

    This page reports a phishing domain, but gives it a red warning -https://safeweb.norton.com/report/show?name=gft6.com
     
  6. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    I have the results m00nbl00d, give me some time to create the Post.

    [Post completed]

    01] Can you access --https://safeweb.norton.com/buzz ?
    Yes, I can access --https://safeweb.norton.com/buzz

    02] If you can, you may find a few phishind domains, but will for certain find malicious domains.
    I wonder if it will block them?

    Yes, Symantec Norton DNS/ConnectSafe blockes listed phishing and malicious domains.

    03] I'd test it myself, but that would mean making changes in my device, and create individual DNS rules for it.
    And, if you're running it already... I think you are, anyway.

    Yes, My security setup gives me the freedom to roam the World Wide Web in an relaxed peaceful secure state,
    and is flexible.

    04] This page reports a phishing domain, but gives it a red warning -https://safeweb.norton.com/report/show?
    name=gft6.com


    NDNS001.JPG


    EDIT: completeness


    HKEY1952
     
    Last edited: Apr 7, 2012
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So... it makes me believe that Norton DNS will only block domain names that are rated with a WARNING @ -https://safeweb.norton.com... But, it won't block access to domains rated with a CAUTION.

    That's stupid. Because, if they flag the domain name with a CAUTION rate as being a phishing one, then it should be blocked.

    Actually, any suspicious domain should be blocked. The user can always access it.

    Not sure I understand this behavior. This means that if anyone were to access the website mentioned here -https://safeweb.norton.com/report/show?url=omgclothes.com.au, and that I previously made a reference to, then the unsuspected user will be a victim of a phishing "attack". Other sources also pointed it as being a phishing domain.

    Anyway... thanks. :thumb:
     
  8. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Exactly, and did you notice in the screenshot the word Beta for the Button "Continue to Site"?

    That screenshot was taken while using:
    03] C - Security + Pornography + Non-Family Friendly DNS Servers = 198.153.192.60 and 198.153.194.60

    That must be recent because both Buttons never existed in the Family Package before.
    The only choices were to close the Web Browser
    Type in another address in the address bar
    Or click on an Favorites link

    There was no way to enter the blocked domain once it was blocked.
    Now it looks like an minor can click on "Continue to Site"

    I give up, back to OpenDNS


    EDIT: spelling/grammar


    HKEY1952
     
    Last edited: Apr 7, 2012
Loading...
Thread Status:
Not open for further replies.