<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><br><br></div></blockquote><br><br>Thanks Paul,<br><br>Yeah, agreed, "kind of" is probably not the right term to use. I essentially did not care in this specific example of any impersonation which is why I added "but I will not focus on the ones returning the correct answer (e.g 185.89.219.12)". I believe there could be a bazillion reasons why a probe would behave like that, possibly someone running their own pi-hole and redirecting all traffic to it, or something in that vein.<br></div></div></blockquote><div><br></div><div>Not to go astray from the initial discussion in this thread, but closing the loop. Those 2 probes returning the "right" answer indeed seem to intercept all DNS traffic within their network to a local DNS server.<br><br>```<br>$ ripe-atlas report --renderer traceroute --traceroute-show-asns 33206215 <br><br>Probe #51510<br>Sat Nov 06 13:36:43 PDT 2021<br><br> 1 193.0.14.129 AS25152 8.057 ms 1.326 ms 1.258 ms<br><br>Probe #51975<br>Sat Nov 06 13:36:42 PDT 2021<br><br> 1 192.168.50.1 2.208 ms 1.742 ms 6.647 ms<br> 2 192.168.40.1 1.11 ms * *<br> 3 193.0.14.129 AS25152 1.689 ms 1.913 ms 1.862 ms</div><div>```</div><div><br></div><div>Manu</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"> <br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote><br>
This does not sound like leaking, it sounds like impersonation. (I say this without doing the level of research you clearly have done!) That is, a K-root instance inside or outside of $country would reply to a query for "<a href="http://d.ns.facebook.com" rel="noreferrer" target="_blank">d.ns.facebook.com</a>" with a referral, not an answer. Thus, if you are sending that query to one of the IP addresses for $<a href="http://x.root-servers.net" rel="noreferrer" target="_blank">x.root-servers.net</a> and you get an A record back, the host you are hitting is not run by one of the root server operators.<br></div></div></blockquote><br>To be more precise, I think it is leaking *and* impersonation. I didn't mean to say that k-root there would answer incorrectly, but something in between does.<br><br>Thanks,<br>Manu<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote><br>
--Paul Hoffman</div></div>
</blockquote></div></div>
</blockquote></div></div>