Hacking Create your own DNS Server to Block Nintendo Updates

[Ninja_Carver]

I had previously tried to create a server that the community could use for this purpose, however it became apparent promptly afterwards that the server was being abused and leveraged in DDoS attacks. I have put together a short HOWTO on how to create your own BIND server that can accomplish the same thing within your own secure network. If you're like me, and don't have a router that can block hosts, then you will find this advantageous.

1. Download BIND 9.9.7 (Stable, ESV) from ftp://ftp.isc.org/isc/bind9/9.9.7/BIND9.9.7.x86.zip
2. Extract files to a temporary location
3. Run BINDInstall.exe from aforementioned temporary location.a. Create a Service Account Password
4. After Installation, you will receive a dialog box stating the installation was successful, click OK, then Exit.
5. Open your favorite Text Editor, for Windows my recommendation is Notepad++ (it's Freeeeee!)
6. Dump the following contents in a new file, and save as: C:\Program Files (x86)\ISC BIND 9\etc\named.conf

MAKE SURE THE FILE NAME EXTENSION IS ONLY ".CONF", not ".CONF.TXT" OR ANYTHING LIKE THAT
MAKE SURE YOU CHANGE THE "ROUTER_OR_GATEWAY_IP" FIELD IN THE THIRD LINE TO REFLECT YOURS

options {
        directory "C:/Program Files (x86)/ISC BIND 9";
        forwarders { ROUTER_OR_GATEWAY_IP; };
        notify no;
};
 
zone "localhost" in {
      type master;
      file "db.localhost.txt";
};
 
zone "0.0.127.in-addr.arpa" in {
        type master;
        file "db.127.0.0.txt";
};
 
zone "." in {
        type hint;
        file "root.hint.txt";
};
 
zone "nus.c.shop.nintendowifi.net" {
    type master;
    file "db.nus.c.shop.nintendowifi.net.txt";
};
 
zone "nus.cdn.c.shop.nintendowifi.net" {
    type master;
    file "db.nus.cdn.c.shop.nintendowifi.net.txt";
};
 
zone "nus.cdn.shop.wii.com" {
    type master;
    file "db.nus.cdn.shop.wii.com.txt";
};
 
zone "nus.cdn.wup.shop.nintendo.net" {
    type master;
    file "db.nus.cdn.wup.shop.nintendo.net.txt";
};
 
zone "nus.wup.shop.nintendo.net" {
    type master;
    file "db.nus.wup.shop.nintendo.net.txt";
};

7. Download the attached archive, containing all the blocking zone files, and Extract to "C:\Program Files (x86)\ISC BIND 9"​

8. Open an Elevated Command Prompt (Right click command prompt, run as administrator).​

9. Enter the following command "net start named"​

10. If the service starts successfully, you can test as follows in the command prompt:​

nslookup www.google.com 127.0.0.1 <-- WORKS? Good.
nslookup nus.cdn.shop.wii.com 127.0.0.1 <-- FAILS? Good.

11. If all of the tests go according to plan, you can now point your WiiU to the IP of the machine you're running the BIND server on. To find out the IP of your machine, run IPCONFIG from the command prompt. The IP address should be within the output, and so should the gateway (or router) IP.​

If the service fails to start for whatever reason, check your Application Event Log in Event viewer and report here... I'll do my best to help you.

 

[CosmoCortney]

Nice
I'd suggest that someone could make a sticky about all kinds of update blocking and webkit exploit execution without a valid internet connection (like Mr. Mysterio has recently shown to me). At least as soon as the kernel exploit is out. Update blocking or running a local server would be the first step for everyone

 

[Ninja_Carver]

Please remember to either add a rule in Windoww Firewall for inbound/outbound UDP port 53 or disable Windows Firewall entirely. Just tested this. Seems to work well. Let me know how it goes.

 

[Relys]

Please remember to either add a rule in Windoww Firewall for inbound/outbound UDP port 53 or disable Windows Firewall entirely. Just tested this. Seems to work well. Let me know how it goes.

I would recommend egress filtering and blocking off UDP port 53 outside of your LAN.

 

[Ninja_Carver]

I mean, as long as we have real firewalls here, Windows Firewall is pretty useless, amirite?

 

[TotalInsanity4]

I mean, as long as we have real firewalls here, Windows Firewall is pretty useless, amirite?

http://en.wikipedia.org/wiki/Great_Firewall Theirs is better than ours

 

[starerik]

I got the service running, but I'm not sure how it's supposed to look like when that nus IP fails. A picture or a quote would have been nice.

Also, any suggestions how I point the Wii U to the server machine? What am I to look for in my router settings?

 

[TeamScriptKiddies]

Ninja_Carver slices again! w00t!

 

[OriginalHamster]

It says the connection was successful, but can't access to any webpage from Wii U...
I set the my Bind server IP, and it ask for manual DNS, I put the same I got in my PC connection?

cmd: ipconfig shows a blank space on DNS...

 

[starerik]

Wow, just found out my ISP blocks 53 to prevent own DNS servers. God dammit.

 

[Ninja_Carver]

I got the service running, but I'm not sure how it's supposed to look like when that nus IP fails. A picture or a quote would have been nice.

Also, any suggestions how I point the Wii U to the server machine? What am I to look for in my router settings?

I apologize, you're right, that probably would have been helpful...

From the command prompt, you can use nslookup to test blocking....

if you do an 'nslookup www.google.com' that should return a bunch of IP addresses for google.

However, if you attempt an 'nslookup nus.c.shop.nintendowifi.net' or any other 'zones' that we're blocking you should return nothing, or even return an error. That behavior will vary between different computers.

IPCONFIG shows blank for DNS? You didn't change the DNS settings on your PC right? The only place you're changing the DNS settings is on your WiiU. You manually set the IP of your PC in the WiiU.

 

[Ninja_Carver]

Wow, just found out my ISP blocks 53 to prevent own DNS servers. God dammit.

Are you behind a router? They shouldn't be blocking you from having a DNS server on your own LAN.

 

[Ninja_Carver]

Here's what it looks like from my workstation. Keep in mind your mileage may vary because I'm on Windows 2008 R2.

C:\Windows\system32>nslookup www.google.com 127.0.0.1
Server:  UnKnown
Address:  127.0.0.1
 
Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:4002:c01::93
          173.194.219.99
          173.194.219.105
          173.194.219.104
          173.194.219.103
          173.194.219.147
          173.194.219.106
 
 
C:\Windows\system32>nslookup nus.c.shop.nintendowifi.net 127.0.0.1
Server:  UnKnown
Address:  127.0.0.1
 
Name:    nus.c.shop.nintendowifi.net
 
 
C:\Windows\system32>

 

[starerik]

Are you behind a router? They shouldn't be blocking you from having a DNS server on your own LAN.

Well, they did. The ISP blocked port 53 last year because of DDoS attacks. When I tried to open up port 53 in Windows Firewall the router (which unfortunately is also the modem) said "nope" and shut down internet.

 

[Ninja_Carver]

Well, they did. The ISP blocked port 53 last year because of DDoS attacks. When I tried to open up port 53 in Windows Firewall the router (which unfortunately is also the modem) said "nope" and shut down internet.

I don't think there is any connection at all between Windows Firewall and your router... That would be a first time for me ... Try completely disabling Windows Firewall.... Does your router still shut down?
What if you were running Linux and you didn't have Windows Firewall? lol

 

[OriginalHamster]

IPCONFIG shows blank for DNS? You didn't change the DNS settings on your PC right? The only place you're changing the DNS settings is on your WiiU. You manually set the IP of your PC in the WiiU.

Yeah, I have a manual set DNS, had to do that way because I keep my PC ip static.
Weird thing is Wii U notify the test connection as succesful

 

[Ninja_Carver]

Yeah, I have a manual set DNS, had to do that way because I keep my PC ip static.
Weird thing is Wii U notify the test connection as succesful

Does the eShop shop open? It should not...

You should be able to visit websites in the browser still, though.

 

[Onion_Knight]

Well, they did. The ISP blocked port 53 last year because of DDoS attacks. When I tried to open up port 53 in Windows Firewall the router (which unfortunately is also the modem) said "nope" and shut down internet.

Your own machine uses udp 53 to talk to your ISP DNS. They cannot block your DNS server and still allow you outbound since your internal LAN has the same external facing IP. It all looks the same. The only issue that might arise is that your DNS server would use TCP to connect to their DNS server. They might not want you doing zone transfers.

 

[OriginalHamster]

Does the eShop shop open? It should not...

You should be able to visit websites in the browser still, though.

I can't access to any online service from Wii U, including the browser, I get a couldn't find the server error :c

PC side I think I got everything right, www.google.com shows a bunch of adresses, nus.eshop doesn't bring anything. Should test with another url? Or google one is enough?

 

[Ninja_Carver]

I can't access to any online service from Wii U, including the browser, I get a couldn't find the server error :c

Have you tried the nslookup tests i provided above on your PC? How did they result?