[dns-operations] Bloke takes over every .io domain by snapping up crucial name servers

Robert Edmonds edmonds at mycre.ws
Tue Jul 11 17:08:14 UTC 2017 

Stephane Bortzmeyer wrote:
> On Tue, Jul 11, 2017 at 02:29:19PM +0100,
>  Ray Bellis <ray at isc.org> wrote 
>  a message of 16 lines which said:
> 
> > Or not:
> > 
> > http://mpounsett.blogspot.co.uk/2017/07/the-io-error-problem-with-bad-optics.html
> 
> Or partially (the "attacker" did receive a lot of DNS traffic,
> depending on the resolver's behavior).

Yeah, it's pretty clear he did attract some fraction of the DNS traffic
for .io; he has (had) the pcaps, and DNSDB observed referrals for the
domains that he registered.

Matt's article assumes resolvers that are happy to use glue addresses to
reach nameservers but there are at least some resolver implementations
that actively attempt to find a zone's authoritative nameserver
addresses when following a delegation rather than relying on glue
address records.

It's wrong to imply that obtaining delegations for 4/7 of the NSDNAMEs
for an NS RRset lets you steal 4/7 of the traffic for that zone, though,
because you don't know what mixture of resolver behaviors you're going
to get. (Even excluding resolver RTT preference and TTL effects.)

    ;;  bailiwick: io.
    ;;      count: 532
    ;; first seen: 2017-07-05 15:37:20 -0000
    ;;  last seen: 2017-07-06 19:37:37 -0000
    ns-a1.io. IN NS ns1.networkobservatory.com.
    ns-a1.io. IN NS ns2.networkobservatory.com.

    ;;  bailiwick: io.
    ;;      count: 356
    ;; first seen: 2017-07-05 18:40:00 -0000
    ;;  last seen: 2017-07-06 19:35:16 -0000
    ns-a2.io. IN NS ns1.networkobservatory.com.
    ns-a2.io. IN NS ns2.networkobservatory.com.

    ;;  bailiwick: io.
    ;;      count: 6,707
    ;; first seen: 2017-07-05 18:38:23 -0000
    ;;  last seen: 2017-07-06 19:41:26 -0000
    ns-a3.io. IN NS ns1.networkobservatory.com.
    ns-a3.io. IN NS ns2.networkobservatory.com.

    ;;  bailiwick: io.
    ;;      count: 4,692
    ;; first seen: 2017-07-05 18:38:23 -0000
    ;;  last seen: 2017-07-06 19:50:37 -0000
    ns-a4.io. IN NS ns1.networkobservatory.com.
    ns-a4.io. IN NS ns2.networkobservatory.com.

-- 
Robert Edmonds

More information about the dns-operations mailing list