On Sat, Nov 6, 2021 at 8:53 AM Paul Hoffman <[email protected]> wrote:
> On Nov 5, 2021, at 9:13 PM, Manu Bretelle <[email protected]> wrote: > >> > > >> > Looking a bit more into it: > >> > > >> > Querying d.ns.facebook.com/A against k-root directly from MX probes: > >> > https://atlas.ripe.net/measurements/33184386/ > >> > ``` > >> > $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com > >> > [] : 13 occurrences > >> > [202.160.128.195] : 1 occurrences > >> > [199.59.148.97] : 1 occurrences > >> > [185.89.219.12] : 2 occurrences > >> > [31.13.96.193] : 1 occurrences > >> > [208.77.47.172] : 1 occurrences > >> > Test #33184386 done at 2021-11-05T20:36:59Z > >> > ``` > >> > > >> > Getting an answer in the first place is kind of unexpected > >> > Not "kind of": definitely. d.ns.facebook.com is not in the root zone, so > no root server will answer with it. > Thanks Paul, Yeah, agreed, "kind of" is probably not the right term to use. I essentially did not care in this specific example of any impersonation which is why I added "but I will not focus on the ones returning the correct answer (e.g 185.89.219.12)". I believe there could be a bazillion reasons why a probe would behave like that, possibly someone running their own pi-hole and redirecting all traffic to it, or something in that vein. > > This does not sound like leaking, it sounds like impersonation. (I say > this without doing the level of research you clearly have done!) That is, a > K-root instance inside or outside of $country would reply to a query for " > d.ns.facebook.com" with a referral, not an answer. Thus, if you are > sending that query to one of the IP addresses for $x.root-servers.net and > you get an A record back, the host you are hitting is not run by one of the > root server operators. > To be more precise, I think it is leaking *and* impersonation. I didn't mean to say that k-root there would answer incorrectly, but something in between does. Thanks, Manu > --Paul Hoffman >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
