<div dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote">On Sat, Nov 6, 2021 at 8:53 AM Paul Hoffman <<a href="mailto:paul.hoffman@icann.org" target="_blank">paul.hoffman@icann.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>On Nov 5, 2021, at 9:13 PM, Manu Bretelle <<a href="mailto:chantr4@gmail.com" target="_blank">chantr4@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>><br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> Looking a bit more into it:<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>><br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> Querying <a href="http://d.ns.facebook.com/A" rel="noreferrer" target="_blank">d.ns.facebook.com/A</a> against k-root directly from MX probes:<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> <a href="https://atlas.ripe.net/measurements/33184386/" rel="noreferrer" target="_blank">https://atlas.ripe.net/measurements/33184386/</a><br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> ```<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> $ blaeu-resolve -m 33184386 -q A <a href="http://d.ns.facebook.com" rel="noreferrer" target="_blank">d.ns.facebook.com</a><br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> [] : 13 occurrences<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> [202.160.128.195] : 1 occurrences<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> [199.59.148.97] : 1 occurrences<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> [185.89.219.12] : 2 occurrences<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> [31.13.96.193] : 1 occurrences<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> [208.77.47.172] : 1 occurrences<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> Test #33184386 done at 2021-11-05T20:36:59Z<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> ```<br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>><br><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"></blockquote>> Getting an answer in the first place is kind of unexpected<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote><br>
Not "kind of": definitely. <a href="http://d.ns.facebook.com" rel="noreferrer" target="_blank">d.ns.facebook.com</a> is not in the root zone, so no root server will answer with it.<br></div></div></blockquote><br><br>Thanks Paul,<br><br>Yeah, agreed, "kind of" is probably not the right term to use. I essentially did not care in this specific example of any impersonation which is why I added "but I will not focus on the ones returning the correct answer (e.g 185.89.219.12)". I believe there could be a bazillion reasons why a probe would behave like that, possibly someone running their own pi-hole and redirecting all traffic to it, or something in that vein.<br> <br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote><br>
This does not sound like leaking, it sounds like impersonation. (I say this without doing the level of research you clearly have done!) That is, a K-root instance inside or outside of $country would reply to a query for "<a href="http://d.ns.facebook.com" rel="noreferrer" target="_blank">d.ns.facebook.com</a>" with a referral, not an answer. Thus, if you are sending that query to one of the IP addresses for $<a href="http://x.root-servers.net" rel="noreferrer" target="_blank">x.root-servers.net</a> and you get an A record back, the host you are hitting is not run by one of the root server operators.<br></div></div></blockquote><br>To be more precise, I think it is leaking *and* impersonation. I didn't mean to say that k-root there would answer incorrectly, but something in between does.<br><br>Thanks,<br>Manu<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote><br>
--Paul Hoffman</div></div>
</blockquote></div></div>