[dns-operations] [Ext] K-root in CN leaking outside of CN

Geoff Huston gih at apnic.net
Sat Nov 6 19:57:49 UTC 2021



> On 7 Nov 2021, at 2:53 am, Paul Hoffman <paul.hoffman at icann.org> wrote:
> 
> On Nov 5, 2021, at 9:13 PM, Manu Bretelle <chantr4 at gmail.com> wrote:
>> 
>> Looking a bit more into it:
>> 
>> Querying d.ns.facebook.com/A against k-root directly from MX probes:
>> https://atlas.ripe.net/measurements/33184386/
>> ```
>> $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com
>> [] : 13 occurrences
>> [202.160.128.195] : 1 occurrences
>> [199.59.148.97] : 1 occurrences
>> [185.89.219.12] : 2 occurrences
>> [31.13.96.193] : 1 occurrences
>> [208.77.47.172] : 1 occurrences
>> Test #33184386 done at 2021-11-05T20:36:59Z
>> ```
>> 
>> Getting an answer in the first place is kind of unexpected
> 
> Not "kind of": definitely. d.ns.facebook.com is not in the root zone, so no root server will answer with it.
> 
> This does not sound like leaking, it sounds like impersonation. (I say this without doing the level of research you clearly have done!) That is, a K-root instance inside or outside of $country would reply to a query for "d.ns.facebook.com" with a referral, not an answer. Thus, if you are sending that query to one of the IP addresses for $x.root-servers.net and you get an A record back, the host you are hitting is not run by one of the root server operators.


I must agree with Paul. This is not a root server, its impersonation. DNS query interception been observed within China for years - here’s a dig result I recorded in 2013 when I was in China for an APNIC conference

$ dig @m.root-servers.net www.facebook.com
; <<>> DiG 9.9.3-P1 <<>> @m.root-servers.net. www.facebook.com
; (2 servers found)
;; global options: +cmd
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3195 
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 

;; QUESTION SECTION: 
;www.facebook.com IN A 

;; ANSWER SECTION: www.facebook.com. 300 IN A 255.255.255.255 
;; Query time: 38 msec 
;; SERVER: 2001:dc3::35#53(2001:dc3::35) 
;; WHEN: Tue Aug 27 19:07:12 EST 2013 
;; MSG SIZE  rcvd: 50


Normally this behaviour (where a query to a root server address received a response rather than a referral) was only visible within an area that was covered by the GFW.

Geoff Huston




More information about the dns-operations mailing list