[dns-operations] a question about the nameservers

Lutz Donnerhacke lutz at iks-jena.de
Fri Oct 26 10:11:33 UTC 2012 

* Feng He wrote:
> If the nameservers in parent is different from the ones in auth-servers,
> what will happen?

For the first query the glue data will be used (NS in the parent zone).
For later queries the resolver should requery the NS from the authorititve
servers.

> im.                     172800  IN      NS      hoppy.iom.com.
> im.                     172800  IN      NS      pebbles.iom.com.
> im.                     172800  IN      NS      ns4.ja.net.
> im.                     172800  IN      NS      barney.advsys.co.uk.
> ;; Received 222 bytes from 198.41.0.4#53(a.root-servers.net) in 240 ms

So we have
 hoppy.iom.com       has address 217.23.163.140
 pebbles.iom.com     has address 80.168.83.242
 ns4.ja.net          has address 193.62.157.66
 ns4.ja.net          has IPv6 address 2001:630:0:47::42
 barney.advsys.co.uk has address 217.23.160.50
five different IP addresses to ask for anthing beyond im.


All thise servers report:
 ;; ANSWER SECTION:
 im.			3600	IN	NS	hoppy.iom.com.
 im.			3600	IN	NS	pebbles.iom.com.
 im.			3600	IN	NS	barney.advsys.co.uk.
 im.			3600	IN	NS	ns4.ja.net.
 ;; SERVER: 80.168.83.242#53(and for each other server)
 ;; WHEN: Fri Oct 26 12:06:50 2012
 ;; MSG SIZE  rcvd: 174


But you see:

> tel.im.                 259200  IN      NS      ans.amchina.net.
> tel.im.                 259200  IN      NS      bns.amchina.net.
> tel.im.                 259200  IN      NS      cns.amchina.net.
> tel.im.                 259200  IN      NS      dns.amchina.net.
> ;; Received 107 bytes from 80.168.83.242#53(pebbles.iom.com) in 271 ms

That's forged. And those servers will update the NS again to:

> tel.im.                 3600    IN      A       14.1.20.54
> tel.im.                 3600    IN      NS      ns1.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns2.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns3.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns4.cloudwebdns.com.
> ;; Received 191 bytes from 173.254.229.119#53(bns.amchina.net) in 234 ms

Which keeps your resolver on the wrong NS for im.

So you are a vitim of an attacker.

OTOH, let's query correctly:
 im.	NS	ns4.ja.net.
 im.	NS	hoppy.iom.com.
 im.	NS	barney.advsys.co.uk.
 im.	NS	pebbles.iom.com.
 im.	NSEC	in. NS RRSIG NSEC
 im.	RRSIG	NSEC 8 1 86400 20121101000000 20121024230000 24220 . k+LhRtqiGpILTphjgFyy0nQQupnx48rg/G8RFckfKBETtLZw8rrT5FKl bnUiV3R3eg7mOG9EFj65ST5YVmbxk4TPLO8CDs3BnYUFIex0W4mq3lyT gqm1va0ICul9jpYeMs9+JfJsnJuHWrXFJWX6vlwjHtHSXQn5QwgkxEtt z7I=
 ;; Received 412 bytes from 2001:500:3::42#53(L.ROOT-SERVERS.NET) in 45 ms

Bad luck, the IM registry is not up to date.

More information about the dns-operations mailing list