[dns-operations] [Ext] K-root in CN leaking outside of CN
chantr4 at gmail.com
Mon Nov 8 16:58:06 UTC 2021
> Thanks Paul,
> Yeah, agreed, "kind of" is probably not the right term to use. I
> essentially did not care in this specific example of any impersonation
> which is why I added "but I will not focus on the ones returning the
> correct answer (e.g 188.8.131.52)". I believe there could be a bazillion
> reasons why a probe would behave like that, possibly someone running their
> own pi-hole and redirecting all traffic to it, or something in that vein.
Not to go astray from the initial discussion in this thread, but closing
the loop. Those 2 probes returning the "right" answer indeed seem to
intercept all DNS traffic within their network to a local DNS server.
$ ripe-atlas report --renderer traceroute --traceroute-show-asns 33206215
Sat Nov 06 13:36:43 PDT 2021
1 184.108.40.206 AS25152 8.057 ms 1.326 ms
Sat Nov 06 13:36:42 PDT 2021
1 192.168.50.1 2.208 ms 1.742 ms
2 192.168.40.1 1.11 ms *
3 220.127.116.11 AS25152 1.689 ms 1.913 ms
>> This does not sound like leaking, it sounds like impersonation. (I say
>> this without doing the level of research you clearly have done!) That is, a
>> K-root instance inside or outside of $country would reply to a query for "
>> d.ns.facebook.com" with a referral, not an answer. Thus, if you are
>> sending that query to one of the IP addresses for $x.root-servers.net
>> and you get an A record back, the host you are hitting is not run by one of
>> the root server operators.
> To be more precise, I think it is leaking *and* impersonation. I didn't
> mean to say that k-root there would answer incorrectly, but something in
> between does.
>> --Paul Hoffman
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations