[dns-operations] ``Ya.com says "The internet is mine" ''

paul at vix.com paul at vix.com
Tue Aug 8 19:20:29 UTC 2006 

someone did some analysis which i think deserves this larger audience.  i'm
not going to give them appropriate credit here since i didn't get permission
to repost this private e-mail.  but the analyst is on the list and can claim
credit in a followup if he so desires.

> Paul Vixie wrote:
>  > this isn't news but it's something we need to remain aware of:
>  >
>  > in <http://tsdgeos.blogspot.com/2006/08/yacom-says-internet-is-mine.html>
>  > (...)
>  >
>  > > If you want to test the pain i feel use 62.151.8.100 as your DNS server.
> 
> Not news, as you said, but this one gets quite interesting.
> Not in a good way.
> 
> For one thing, as you can deduce from the last sentence quoted,
> they operate an open recursive name server.
> 
> Second, they have a creative way of doing their thing.
> Look at this:
> 
> ---
> 
> $ dig @62.151.8.100 nowaythiswouldbearegisteredname.com a
> 
> ; <<>> DiG 9.2.4 <<>> @62.151.8.100 nowaythiswouldbearegisteredname.com a
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51975
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;nowaythiswouldbearegisteredname.com. IN        A
> 
> ;; ANSWER SECTION:
> nowaythiswouldbearegisteredname.com. 10000 IN A 62.210.183.14
> nowaythiswouldbearegisteredname.com. 10000 IN TXT "NXDOMAIN"
> 
> ;; Query time: 314 msec
> ;; SERVER: 62.151.8.100#53(62.151.8.100)
> ;; WHEN: Tue Aug  8 21:07:52 2006
> ;; MSG SIZE  rcvd: 90
> 
> ---
> 
> Ask for an A, get a bundled TXT.
> 
> This implies that an application that's aware of their
> DNS "standards", will be able to tell synthesized from real.
> 
> But wait! there's more - it gets better.
> Watch this: if the string "domain" (the six characters)
> appears *anywhere* within the name queried for, the behavior
> suddenly changes:
> 
> $ dig @62.151.8.100 nowaythiswouldbearegistereddomainname.com a
> 
> ; <<>> DiG 9.2.4 <<>> @62.151.8.100 \
>	nowaythiswouldbearegistereddomainname.com a
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54865
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;nowaythiswouldbearegistereddomainname.com. IN A
> 
> ;; Query time: 214 msec
> ;; SERVER: 62.151.8.100#53(62.151.8.100)
> ;; WHEN: Tue Aug  8 21:16:17 2006
> ;; MSG SIZE  rcvd: 59
> 
> 
> In this case, we received a real, a-la RFC, behavior (rcode).
> Go figure.
> 
> This goes to emphasize the statement in the subject line,
> in more than the original meaning. People invent their own
> DNS protocols time and again, leading to varying levels of
> pain and/or breakage.

More information about the dns-operations mailing list