[dns-operations] [Ext] K-root in CN leaking outside of CN

Manu Bretelle chantr4 at gmail.com
Mon Nov 8 16:58:06 UTC 2021


>>
>>
>
> Thanks Paul,
>
> Yeah, agreed, "kind of" is probably not the right term to use. I
> essentially did not care in this specific example of any impersonation
> which is why I added "but I will not focus on the ones returning the
> correct answer (e.g 185.89.219.12)". I believe there could be a bazillion
> reasons why a probe would behave like that, possibly someone running their
> own pi-hole and redirecting all traffic to it, or something in that vein.
>

Not to go astray from the initial discussion in this thread, but closing
the loop. Those 2 probes returning the "right" answer indeed seem to
intercept all DNS traffic within their network to a local DNS server.

```
$ ripe-atlas report --renderer traceroute --traceroute-show-asns  33206215

Probe #51510
Sat Nov 06 13:36:43 PDT 2021

  1 193.0.14.129                  AS25152    8.057 ms     1.326 ms
1.258 ms

Probe #51975
Sat Nov 06 13:36:42 PDT 2021

  1 192.168.50.1                             2.208 ms     1.742 ms
6.647 ms
  2 192.168.40.1                              1.11 ms            *
   *
  3 193.0.14.129                  AS25152    1.689 ms     1.913 ms
1.862 ms
```

Manu

>
>
>>
>> This does not sound like leaking, it sounds like impersonation. (I say
>> this without doing the level of research you clearly have done!) That is, a
>> K-root instance inside or outside of $country would reply to a query for "
>> d.ns.facebook.com" with a referral, not an answer. Thus, if you are
>> sending that query to one of the IP addresses for $x.root-servers.net
>> and you get an A record back, the host you are hitting is not run by one of
>> the root server operators.
>>
>
> To be more precise, I think it is leaking *and* impersonation. I didn't
> mean to say that k-root there would answer incorrectly, but something in
> between does.
>
> Thanks,
> Manu
>
>
>> --Paul Hoffman
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211108/cd57670f/attachment.html>


More information about the dns-operations mailing list