[dns-operations] Source code to identify the fake DNS packets from China Re: Odd behaviour on one node in I root-server (facebook, youtube & twitter)
Hauke Lampe
lampe at hauke-lampe.de
Fri Apr 9 09:54:49 UTC 2010
John Kristoff wrote:
> David Dagon <dagon at cc.gatech.edu> wrote:
>
>> a) Entire CIDRs (large ones: /16s, etc.) in China are open
>> recursive, at least for qnames matching those three strings.
>
> They wouldn't be open recursive then, they'd effectively be claiming
> authority, either implicitly or explicitly.
I used DNS traceroute to get a better view on those fake answers.
Example:
hping2 -T -n -2 -p 53 -E query-twitter.dns -d 34 123.123.123.123
(example payload attached or at
https://www.hauke-lampe.de/linkedstuff/query-twitter.dns)
A few hops across the network border, volleys of forged answers begin to
appear. The query packets are not dropped, though, as I see "TTL
exceeded" messages all the way to the destination host.
So, a DNSSEC-signed answer should eventually make it back to the
initiator, if the listener hadn't already closed down after the first
unsigned reply matched the query's QID.
Hauke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: query-twitter.dns
Type: application/octet-stream
Size: 29 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100409/f1131aed/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100409/f1131aed/attachment.sig>
More information about the dns-operations
mailing list