[dns-operations] [Ext] K-root in CN leaking outside of CN
Geoff Huston
gih at apnic.net
Sat Nov 6 19:57:49 UTC 2021
> On 7 Nov 2021, at 2:53 am, Paul Hoffman <paul.hoffman at icann.org> wrote:
>
> On Nov 5, 2021, at 9:13 PM, Manu Bretelle <chantr4 at gmail.com> wrote:
>>
>> Looking a bit more into it:
>>
>> Querying d.ns.facebook.com/A against k-root directly from MX probes:
>> https://atlas.ripe.net/measurements/33184386/
>> ```
>> $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com
>> [] : 13 occurrences
>> [202.160.128.195] : 1 occurrences
>> [199.59.148.97] : 1 occurrences
>> [185.89.219.12] : 2 occurrences
>> [31.13.96.193] : 1 occurrences
>> [208.77.47.172] : 1 occurrences
>> Test #33184386 done at 2021-11-05T20:36:59Z
>> ```
>>
>> Getting an answer in the first place is kind of unexpected
>
> Not "kind of": definitely. d.ns.facebook.com is not in the root zone, so no root server will answer with it.
>
> This does not sound like leaking, it sounds like impersonation. (I say this without doing the level of research you clearly have done!) That is, a K-root instance inside or outside of $country would reply to a query for "d.ns.facebook.com" with a referral, not an answer. Thus, if you are sending that query to one of the IP addresses for $x.root-servers.net and you get an A record back, the host you are hitting is not run by one of the root server operators.
I must agree with Paul. This is not a root server, its impersonation. DNS query interception been observed within China for years - here’s a dig result I recorded in 2013 when I was in China for an APNIC conference
$ dig @m.root-servers.net www.facebook.com
; <<>> DiG 9.9.3-P1 <<>> @m.root-servers.net. www.facebook.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3195
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.facebook.com IN A
;; ANSWER SECTION: www.facebook.com. 300 IN A 255.255.255.255
;; Query time: 38 msec
;; SERVER: 2001:dc3::35#53(2001:dc3::35)
;; WHEN: Tue Aug 27 19:07:12 EST 2013
;; MSG SIZE rcvd: 50
Normally this behaviour (where a query to a root server address received a response rather than a referral) was only visible within an area that was covered by the GFW.
Geoff Huston
More information about the dns-operations
mailing list