[dns-operations] [Ext] K-root in CN leaking outside of CN
paul.hoffman at icann.org
Sat Nov 6 15:53:19 UTC 2021
On Nov 5, 2021, at 9:13 PM, Manu Bretelle <chantr4 at gmail.com> wrote:
> Looking a bit more into it:
> Querying d.ns.facebook.com/A against k-root directly from MX probes:
> $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com
>  : 13 occurrences
> [184.108.40.206] : 1 occurrences
> [220.127.116.11] : 1 occurrences
> [18.104.22.168] : 2 occurrences
> [22.214.171.124] : 1 occurrences
> [126.96.36.199] : 1 occurrences
> Test #33184386 done at 2021-11-05T20:36:59Z
> Getting an answer in the first place is kind of unexpected
Not "kind of": definitely. d.ns.facebook.com is not in the root zone, so no root server will answer with it.
This does not sound like leaking, it sounds like impersonation. (I say this without doing the level of research you clearly have done!) That is, a K-root instance inside or outside of $country would reply to a query for "d.ns.facebook.com" with a referral, not an answer. Thus, if you are sending that query to one of the IP addresses for $x.root-servers.net and you get an A record back, the host you are hitting is not run by one of the root server operators.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2584 bytes
Desc: not available
More information about the dns-operations