<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Nov 6, 2021 at 12:57 PM Geoff Huston <<a href="mailto:gih@apnic.net">gih@apnic.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
> On 7 Nov 2021, at 2:53 am, Paul Hoffman <<a href="mailto:paul.hoffman@icann.org" target="_blank">paul.hoffman@icann.org</a>> wrote:<br>
> <br>
> On Nov 5, 2021, at 9:13 PM, Manu Bretelle <<a href="mailto:chantr4@gmail.com" target="_blank">chantr4@gmail.com</a>> wrote:<br>
>> <br>
>> Looking a bit more into it:<br>
>> <br>
>> Querying <a href="http://d.ns.facebook.com/A" rel="noreferrer" target="_blank">d.ns.facebook.com/A</a> against k-root directly from MX probes:<br>
>> <a href="https://atlas.ripe.net/measurements/33184386/" rel="noreferrer" target="_blank">https://atlas.ripe.net/measurements/33184386/</a><br>
>> ```<br>
>> $ blaeu-resolve -m 33184386 -q A <a href="http://d.ns.facebook.com" rel="noreferrer" target="_blank">d.ns.facebook.com</a><br>
>> [] : 13 occurrences<br>
>> [202.160.128.195] : 1 occurrences<br>
>> [199.59.148.97] : 1 occurrences<br>
>> [185.89.219.12] : 2 occurrences<br>
>> [31.13.96.193] : 1 occurrences<br>
>> [208.77.47.172] : 1 occurrences<br>
>> Test #33184386 done at 2021-11-05T20:36:59Z<br>
>> ```<br>
>> <br>
>> Getting an answer in the first place is kind of unexpected<br>
> <br>
> Not "kind of": definitely. <a href="http://d.ns.facebook.com" rel="noreferrer" target="_blank">d.ns.facebook.com</a> is not in the root zone, so no root server will answer with it.<br>
> <br>
> This does not sound like leaking, it sounds like impersonation. (I say this without doing the level of research you clearly have done!) That is, a K-root instance inside or outside of $country would reply to a query for "<a href="http://d.ns.facebook.com" rel="noreferrer" target="_blank">d.ns.facebook.com</a>" with a referral, not an answer. Thus, if you are sending that query to one of the IP addresses for $<a href="http://x.root-servers.net" rel="noreferrer" target="_blank">x.root-servers.net</a> and you get an A record back, the host you are hitting is not run by one of the root server operators.<br>
<br>
<br>
I must agree with Paul. This is not a root server, its impersonation. DNS query interception been observed within China for years - here’s a dig result I recorded in 2013 when I was in China for an APNIC conference<br></blockquote><div><br></div><div>Thanks Geoff,<br><br>Yeah, I reply to Paul's message earlier that this was likely leak **and** impersonation. I believe back in 2013 there were no root servers in China, but there is now. What seemed (now fixed) to happen per the traceroutes in<br>ripe-atlas report --renderer traceroute --traceroute-show-asns 33184963 <br><br>was that traffic from MX transiting through AS22908 would then go through AS4134 (China Telecom Backbone) -> AS58466 (Chinanet Guangdong province) -> AS25152 (RIPE) to get to k-root.<br><br>So this is what I call the leak, which had a side effect of impersonation probably for the same reasons as your 2013 dig trace.<br><br>Manu</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
$ dig @<a href="http://m.root-servers.net" rel="noreferrer" target="_blank">m.root-servers.net</a> <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a><br>
; <<>> DiG 9.9.3-P1 <<>> @<a href="http://m.root-servers.net" rel="noreferrer" target="_blank">m.root-servers.net</a>. <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a><br>
; (2 servers found)<br>
;; global options: +cmd<br>
;; Got answer: <br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3195 <br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 <br>
<br>
;; QUESTION SECTION: <br>
;<a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a> IN A <br>
<br>
;; ANSWER SECTION: <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a>. 300 IN A 255.255.255.255 <br>
;; Query time: 38 msec <br>
;; SERVER: 2001:dc3::35#53(2001:dc3::35) <br>
;; WHEN: Tue Aug 27 19:07:12 EST 2013 <br>
;; MSG SIZE rcvd: 50<br>
<br>
<br>
Normally this behaviour (where a query to a root server address received a response rather than a referral) was only visible within an area that was covered by the GFW.<br>
<br>
Geoff Huston<br>
<br>
</blockquote></div></div>