[dns-operations] [Ext] K-root in CN leaking outside of CN
Manu Bretelle
chantr4 at gmail.com
Sat Nov 6 17:59:18 UTC 2021
On Sat, Nov 6, 2021 at 8:53 AM Paul Hoffman <paul.hoffman at icann.org> wrote:
> On Nov 5, 2021, at 9:13 PM, Manu Bretelle <chantr4 at gmail.com> wrote:
>
>> >
>
>> > Looking a bit more into it:
>
>> >
>
>> > Querying d.ns.facebook.com/A against k-root directly from MX probes:
>
>> > https://atlas.ripe.net/measurements/33184386/
>
>> > ```
>
>> > $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com
>
>> > [] : 13 occurrences
>
>> > [202.160.128.195] : 1 occurrences
>
>> > [199.59.148.97] : 1 occurrences
>
>> > [185.89.219.12] : 2 occurrences
>
>> > [31.13.96.193] : 1 occurrences
>
>> > [208.77.47.172] : 1 occurrences
>
>> > Test #33184386 done at 2021-11-05T20:36:59Z
>
>> > ```
>
>> >
>
>> > Getting an answer in the first place is kind of unexpected
>
>>
> Not "kind of": definitely. d.ns.facebook.com is not in the root zone, so
> no root server will answer with it.
>
Thanks Paul,
Yeah, agreed, "kind of" is probably not the right term to use. I
essentially did not care in this specific example of any impersonation
which is why I added "but I will not focus on the ones returning the
correct answer (e.g 185.89.219.12)". I believe there could be a bazillion
reasons why a probe would behave like that, possibly someone running their
own pi-hole and redirecting all traffic to it, or something in that vein.
>
> This does not sound like leaking, it sounds like impersonation. (I say
> this without doing the level of research you clearly have done!) That is, a
> K-root instance inside or outside of $country would reply to a query for "
> d.ns.facebook.com" with a referral, not an answer. Thus, if you are
> sending that query to one of the IP addresses for $x.root-servers.net and
> you get an A record back, the host you are hitting is not run by one of the
> root server operators.
>
To be more precise, I think it is leaking *and* impersonation. I didn't
mean to say that k-root there would answer incorrectly, but something in
between does.
Thanks,
Manu
> --Paul Hoffman
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211106/d28e2c0b/attachment.html>
More information about the dns-operations
mailing list