Create your own DNS Server to Block Nintendo Updates

Discussion in 'Wii U - Hacking & Backup Loaders' started by Ninja_Carver, Mar 20, 2015.

  1. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    I had previously tried to create a server that the community could use for this purpose, however it became apparent promptly afterwards that the server was being abused and leveraged in DDoS attacks. I have put together a short HOWTO on how to create your own BIND server that can accomplish the same thing within your own secure network. If you're like me, and don't have a router that can block hosts, then you will find this advantageous.

    1. Download BIND 9.9.7 (Stable, ESV) from ftp://ftp.isc.org/isc/bind9/9.9.7/BIND9.9.7.x86.zip
    2. Extract files to a temporary location
    3. Run BINDInstall.exe from aforementioned temporary location.a. Create a Service Account Password
    4. After Installation, you will receive a dialog box stating the installation was successful, click OK, then Exit.
    5. Open your favorite Text Editor, for Windows my recommendation is Notepad++ (it's Freeeeee!)
    6. Dump the following contents in a new file, and save as: C:\Program Files (x86)\ISC BIND 9\etc\named.conf
    MAKE SURE THE FILE NAME EXTENSION IS ONLY ".CONF", not ".CONF.TXT" OR ANYTHING LIKE THAT
    MAKE SURE YOU CHANGE THE "ROUTER_OR_GATEWAY_IP" FIELD IN THE THIRD LINE TO REFLECT YOURS

    Code:
    options {
            directory "C:/Program Files (x86)/ISC BIND 9";
            forwarders { ROUTER_OR_GATEWAY_IP; };
            notify no;
    };
     
    zone "localhost" in {
          type master;
          file "db.localhost.txt";
    };
     
    zone "0.0.127.in-addr.arpa" in {
            type master;
            file "db.127.0.0.txt";
    };
     
    zone "." in {
            type hint;
            file "root.hint.txt";
    };
     
    zone "nus.c.shop.nintendowifi.net" {
        type master;
        file "db.nus.c.shop.nintendowifi.net.txt";
    };
     
    zone "nus.cdn.c.shop.nintendowifi.net" {
        type master;
        file "db.nus.cdn.c.shop.nintendowifi.net.txt";
    };
     
    zone "nus.cdn.shop.wii.com" {
        type master;
        file "db.nus.cdn.shop.wii.com.txt";
    };
     
    zone "nus.cdn.wup.shop.nintendo.net" {
        type master;
        file "db.nus.cdn.wup.shop.nintendo.net.txt";
    };
     
    zone "nus.wup.shop.nintendo.net" {
        type master;
        file "db.nus.wup.shop.nintendo.net.txt";
    };

    7. Download the attached archive, containing all the blocking zone files, and Extract to "C:\Program Files (x86)\ISC BIND 9"​
    8. Open an Elevated Command Prompt (Right click command prompt, run as administrator).​
    9. Enter the following command "net start named"​
    10. If the service starts successfully, you can test as follows in the command prompt:​

    Code:
    nslookup www.google.com 127.0.0.1 <-- WORKS? Good.
    nslookup nus.cdn.shop.wii.com 127.0.0.1 <-- FAILS? Good.
    11. If all of the tests go according to plan, you can now point your WiiU to the IP of the machine you're running the BIND server on. To find out the IP of your machine, run IPCONFIG from the command prompt. The IP address should be within the output, and so should the gateway (or router) IP.​

    If the service fails to start for whatever reason, check your Application Event Log in Event viewer and report here... I'll do my best to help you.
     

    Attached Files:

    Crackerboy, Garou, wj44 and 8 others like this.


  2. CosmoCortney

    CosmoCortney The Hacker Furry

    Member
    1,549
    1,467
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Nice :)
    I'd suggest that someone could make a sticky about all kinds of update blocking and webkit exploit execution without a valid internet connection (like Mr. Mysterio has recently shown to me). At least as soon as the kernel exploit is out. Update blocking or running a local server would be the first step for everyone
     
  3. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    Please remember to either add a rule in Windoww Firewall for inbound/outbound UDP port 53 or disable Windows Firewall entirely. Just tested this. Seems to work well. Let me know how it goes.
     
  4. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States



    I would recommend egress filtering and blocking off UDP port 53 outside of your LAN.
     
    WiiuGold likes this.
  5. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    I mean, as long as we have real firewalls here, Windows Firewall is pretty useless, amirite? :)
     
    TeamScriptKiddies likes this.
  6. TotalInsanity4

    TotalInsanity4 GBAtemp Supreme Overlord

    Member
    7,226
    7,336
    Dec 1, 2014
    United States
    Under a rock
    billzo and TeamScriptKiddies like this.
  7. starerik

    starerik Advanced Member

    Newcomer
    59
    13
    Feb 23, 2007
    I got the service running, but I'm not sure how it's supposed to look like when that nus IP fails. A picture or a quote would have been nice.

    Also, any suggestions how I point the Wii U to the server machine? What am I to look for in my router settings?
     
  8. TeamScriptKiddies

    TeamScriptKiddies Licensed Nintendo (indie) Game Developer

    Member
    1,904
    1,321
    Apr 3, 2014
    United States
    Planet Earth :P
  9. OriginalHamster

    OriginalHamster UStealthy

    Member
    3,381
    642
    Nov 2, 2008
    Cote d'Ivoire
    It says the connection was successful, but can't access to any webpage from Wii U...
    I set the my Bind server IP, and it ask for manual DNS, I put the same I got in my PC connection?

    cmd: ipconfig shows a blank space on DNS...
     
  10. starerik

    starerik Advanced Member

    Newcomer
    59
    13
    Feb 23, 2007
    Wow, just found out my ISP blocks 53 to prevent own DNS servers. God dammit.
     
  11. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    I apologize, you're right, that probably would have been helpful...

    From the command prompt, you can use nslookup to test blocking....

    if you do an 'nslookup www.google.com' that should return a bunch of IP addresses for google.

    However, if you attempt an 'nslookup nus.c.shop.nintendowifi.net' or any other 'zones' that we're blocking you should return nothing, or even return an error. That behavior will vary between different computers.

    IPCONFIG shows blank for DNS? You didn't change the DNS settings on your PC right? The only place you're changing the DNS settings is on your WiiU. You manually set the IP of your PC in the WiiU.
     
    TeamScriptKiddies likes this.
  12. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    Are you behind a router? They shouldn't be blocking you from having a DNS server on your own LAN.
     
    TeamScriptKiddies likes this.
  13. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    Here's what it looks like from my workstation. Keep in mind your mileage may vary because I'm on Windows 2008 R2.

    Code:
    C:\Windows\system32>nslookup www.google.com 127.0.0.1
    Server:  UnKnown
    Address:  127.0.0.1
     
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2607:f8b0:4002:c01::93
              173.194.219.99
              173.194.219.105
              173.194.219.104
              173.194.219.103
              173.194.219.147
              173.194.219.106
     
     
    C:\Windows\system32>nslookup nus.c.shop.nintendowifi.net 127.0.0.1
    Server:  UnKnown
    Address:  127.0.0.1
     
    Name:    nus.c.shop.nintendowifi.net
     
     
    C:\Windows\system32>
     
  14. starerik

    starerik Advanced Member

    Newcomer
    59
    13
    Feb 23, 2007
    Well, they did. The ISP blocked port 53 last year because of DDoS attacks. When I tried to open up port 53 in Windows Firewall the router (which unfortunately is also the modem) said "nope" and shut down internet.
     
  15. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    I don't think there is any connection at all between Windows Firewall and your router... That would be a first time for me ... Try completely disabling Windows Firewall.... Does your router still shut down?
    What if you were running Linux and you didn't have Windows Firewall? lol
     
  16. OriginalHamster

    OriginalHamster UStealthy

    Member
    3,381
    642
    Nov 2, 2008
    Cote d'Ivoire
    Yeah, I have a manual set DNS, had to do that way because I keep my PC ip static.
    Weird thing is Wii U notify the test connection as succesful
     
  17. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    Does the eShop shop open? It should not...

    You should be able to visit websites in the browser still, though.
     
  18. Onion_Knight

    Onion_Knight GBAtemp Advanced Fan

    Member
    878
    832
    Feb 6, 2014

    Your own machine uses udp 53 to talk to your ISP DNS. They cannot block your DNS server and still allow you outbound since your internal LAN has the same external facing IP. It all looks the same. The only issue that might arise is that your DNS server would use TCP to connect to their DNS server. They might not want you doing zone transfers.
     
  19. OriginalHamster

    OriginalHamster UStealthy

    Member
    3,381
    642
    Nov 2, 2008
    Cote d'Ivoire
    I can't access to any online service from Wii U, including the browser, I get a couldn't find the server error :c

    PC side I think I got everything right, www.google.com shows a bunch of adresses, nus.eshop doesn't bring anything. Should test with another url? Or google one is enough?
     
  20. Ninja_Carver
    OP

    Ninja_Carver GBAtemp Fan

    Member
    356
    380
    Dec 27, 2012
    United States
    Have you tried the nslookup tests i provided above on your PC? How did they result?