[dns-operations] [Ext] K-root in CN leaking outside of CN

Paul Hoffman paul.hoffman at icann.org
Sat Nov 6 15:53:19 UTC 2021

On Nov 5, 2021, at 9:13 PM, Manu Bretelle <chantr4 at gmail.com> wrote:
> Looking a bit more into it:
> Querying d.ns.facebook.com/A against k-root directly from MX probes:
>  https://atlas.ripe.net/measurements/33184386/
> ```
> $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com
> [] : 13 occurrences
> [] : 1 occurrences
> [] : 1 occurrences
> [] : 2 occurrences
> [] : 1 occurrences
> [] : 1 occurrences
> Test #33184386 done at 2021-11-05T20:36:59Z
> ```
> Getting an answer in the first place is kind of unexpected

Not "kind of": definitely. d.ns.facebook.com is not in the root zone, so no root server will answer with it.

This does not sound like leaking, it sounds like impersonation. (I say this without doing the level of research you clearly have done!) That is, a K-root instance inside or outside of $country would reply to a query for "d.ns.facebook.com" with a referral, not an answer. Thus, if you are sending that query to one of the IP addresses for $x.root-servers.net and you get an A record back, the host you are hitting is not run by one of the root server operators.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2584 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211106/22b47af8/attachment.bin>

More information about the dns-operations mailing list