[dns-operations] [Ext] K-root in CN leaking outside of CN

Manu Bretelle chantr4 at gmail.com
Sat Nov 6 20:20:28 UTC 2021


On Sat, Nov 6, 2021 at 12:57 PM Geoff Huston <gih at apnic.net> wrote:

>
>
> > On 7 Nov 2021, at 2:53 am, Paul Hoffman <paul.hoffman at icann.org> wrote:
> >
> > On Nov 5, 2021, at 9:13 PM, Manu Bretelle <chantr4 at gmail.com> wrote:
> >>
> >> Looking a bit more into it:
> >>
> >> Querying d.ns.facebook.com/A against k-root directly from MX probes:
> >> https://atlas.ripe.net/measurements/33184386/
> >> ```
> >> $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com
> >> [] : 13 occurrences
> >> [202.160.128.195] : 1 occurrences
> >> [199.59.148.97] : 1 occurrences
> >> [185.89.219.12] : 2 occurrences
> >> [31.13.96.193] : 1 occurrences
> >> [208.77.47.172] : 1 occurrences
> >> Test #33184386 done at 2021-11-05T20:36:59Z
> >> ```
> >>
> >> Getting an answer in the first place is kind of unexpected
> >
> > Not "kind of": definitely. d.ns.facebook.com is not in the root zone,
> so no root server will answer with it.
> >
> > This does not sound like leaking, it sounds like impersonation. (I say
> this without doing the level of research you clearly have done!) That is, a
> K-root instance inside or outside of $country would reply to a query for "
> d.ns.facebook.com" with a referral, not an answer. Thus, if you are
> sending that query to one of the IP addresses for $x.root-servers.net and
> you get an A record back, the host you are hitting is not run by one of the
> root server operators.
>
>
> I must agree with Paul. This is not a root server, its impersonation. DNS
> query interception been observed within China for years - here’s a dig
> result I recorded in 2013 when I was in China for an APNIC conference
>

Thanks Geoff,

Yeah, I reply to Paul's message earlier that this was likely leak **and**
impersonation. I believe back in 2013 there were no root servers in China,
but there is now. What seemed (now fixed) to happen per the traceroutes in
ripe-atlas report --renderer traceroute --traceroute-show-asns  33184963

was that traffic from MX transiting through AS22908 would then go
through AS4134 (China Telecom Backbone) -> AS58466  (Chinanet  Guangdong
province) -> AS25152 (RIPE) to get to k-root.

So this is what I call the leak, which had a side effect of impersonation
probably for the same reasons as your 2013 dig trace.

Manu

>
> $ dig @m.root-servers.net www.facebook.com
> ; <<>> DiG 9.9.3-P1 <<>> @m.root-servers.net. www.facebook.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3195
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.facebook.com IN A
>
> ;; ANSWER SECTION: www.facebook.com. 300 IN A 255.255.255.255
> ;; Query time: 38 msec
> ;; SERVER: 2001:dc3::35#53(2001:dc3::35)
> ;; WHEN: Tue Aug 27 19:07:12 EST 2013
> ;; MSG SIZE  rcvd: 50
>
>
> Normally this behaviour (where a query to a root server address received a
> response rather than a referral) was only visible within an area that was
> covered by the GFW.
>
> Geoff Huston
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211106/df04fb10/attachment.html>


More information about the dns-operations mailing list