[dns-operations] alidns

[Hauke Lampe]

On 16.06.2014 13:58, Stephane Bortzmeyer wrote:

>> anybody give a test and review on alidns.com?
> 
> Lying resolver. (The real addresses are in 173.252.96.0/19)
> 
> % dig @223.5.5.5 A facebook.com    

> ;; ANSWER SECTION:
> facebook.com.		27381 IN A 59.24.3.173

That looks just like the usual Chinese Filters to me. I don't think you
can blame the resolver operator but it sure limits its usefulness from
outside China.

Try this in scapy:

> ans=sr(IP(dst="223.5.5.5",ttl=(1,30))/UDP(dport=53)/DNS(qd=DNSQR(qname="foobartwitter.com")),multi=1,timeout=2,inter=1)[0];ans.show()

> 0009 IP / UDP / DNS Qry "foobartwitter.com"  ==> IP / ICMP 213.140.49.5 > 192.168.0.60 time-exceeded ttl-zero-during-transit / IPerror / UDPerror
> 0012 IP / UDP / DNS Qry "foobartwitter.com"  ==> IP / ICMP 202.97.51.245 > 192.168.0.60 time-exceeded ttl-zero-during-transit / IPerror / UDPerror
> 0013 IP / UDP / DNS Qry "foobartwitter.com"  ==> IP / ICMP 202.97.33.129 > 192.168.0.60 time-exceeded ttl-zero-during-transit / IPerror / UDPerror
> 0015 IP / UDP / DNS Qry "foobartwitter.com"  ==> IP / UDP / DNS Ans "37.61.54.158"

The first response comes back just as the packet crosses the border:

>>>> ans[15][1][IP].src  
> '223.5.5.5'
>>>> conf.AS_resolver.resolve(ans[13][1][IP].src)
> [('202.97.33.129', 4134, 'CHINANET-BACKBONE No.31,Jin-rong Street,CN')]

The resolver *does* eventually answer, although with NODATA instead of
NXDOMAIN:

>>>> ans[34][1][DNS].show()
> ###[ DNS ]###
>   id= 0
>   qr= 1L
>   opcode= QUERY
>   aa= 0L
>   tc= 0L
>   rd= 0L
>   ra= 1L
>   z= 0L
>   rcode= ok
>   qdcount= 1
>   ancount= 0
>   nscount= 13
>   arcount= 14
>   \qd\
>    |###[ DNS Question Record ]###
>    |  qname= 'foobartwitter.com.'
>    |  qtype= A
>    |  qclass= IN
>   an= None
>   \ns\
>    |###[ DNS Resource Record ]###
>    |  rrname= 'com.'
>    |  type= NS
>    |  rclass= IN
>    |  ttl= 129456
>    |  rdlen= 20
>    |  rdata= 'h.gtld-servers.net.'


Hauke.