[dns-operations] Detecting DNS hijacking (Was: new public DNS service: 9.9.9.9
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Nov 21 11:36:44 UTC 2017
On Mon, Nov 20, 2017 at 04:58:11PM +0100,
A. Schulze <sca at andreasschulze.de> wrote
a message of 17 lines which said:
> "dig @8.8.8.8 hostname.bind. txt chaos" would be a weak indicator
> for example but unfortunately, Google don't respond to such queries.
Or to NSID, alas. This would help in practice because most hijackers
don't bother (today) to fake the NSID reply.
But, as you say, it is only a weak indicator. The proper solution is
DNS-over-TLS (RFC 7858), which Quad9 deploys (Google should, too).
Example of root hijacking, measured by RIPE Atlas probes:
Measurement #10277043 catched rogue copies of K-root with NSID:
Real ones:
[NSID: ns1.de-kae.k.ripe.net a.root-servers.net. nstld.verisign-grs.com. 2017112100 1800 900 604800 86400] : 1 occurrences
[NSID: ns2.de-fra.k.ripe.net a.root-servers.net. nstld.verisign-grs.com. 2017112100 1800 900 604800 86400] : 9 occurrences
[NSID: ns1.ru-led.k.ripe.net a.root-servers.net. nstld.verisign-grs.com. 2017112100 1800 900 604800 86400] : 1 occurrences
Rogue ones (note also the serials):
[a.root-servers.net. nstld.verisign-grs.com. 2017112000 1800 900 604800 86400] : 6 occurrences
[a.root-servers.net. nstld.verisign-grs.com. 2017111801 1800 900 604800 86400] : 1 occurrences
More information about the dns-operations
mailing list