> On 7 Nov 2021, at 2:53 am, Paul Hoffman <[email protected]> wrote: > > On Nov 5, 2021, at 9:13 PM, Manu Bretelle <[email protected]> wrote: >> >> Looking a bit more into it: >> >> Querying d.ns.facebook.com/A against k-root directly from MX probes: >> https://atlas.ripe.net/measurements/33184386/ >> ``` >> $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com >> [] : 13 occurrences >> [202.160.128.195] : 1 occurrences >> [199.59.148.97] : 1 occurrences >> [185.89.219.12] : 2 occurrences >> [31.13.96.193] : 1 occurrences >> [208.77.47.172] : 1 occurrences >> Test #33184386 done at 2021-11-05T20:36:59Z >> ``` >> >> Getting an answer in the first place is kind of unexpected > > Not "kind of": definitely. d.ns.facebook.com is not in the root zone, so no > root server will answer with it. > > This does not sound like leaking, it sounds like impersonation. (I say this > without doing the level of research you clearly have done!) That is, a K-root > instance inside or outside of $country would reply to a query for > "d.ns.facebook.com" with a referral, not an answer. Thus, if you are sending > that query to one of the IP addresses for $x.root-servers.net and you get an > A record back, the host you are hitting is not run by one of the root server > operators.
I must agree with Paul. This is not a root server, its impersonation. DNS query interception been observed within China for years - here’s a dig result I recorded in 2013 when I was in China for an APNIC conference $ dig @m.root-servers.net www.facebook.com ; <<>> DiG 9.9.3-P1 <<>> @m.root-servers.net. www.facebook.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3195 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.facebook.com IN A ;; ANSWER SECTION: www.facebook.com. 300 IN A 255.255.255.255 ;; Query time: 38 msec ;; SERVER: 2001:dc3::35#53(2001:dc3::35) ;; WHEN: Tue Aug 27 19:07:12 EST 2013 ;; MSG SIZE rcvd: 50 Normally this behaviour (where a query to a root server address received a response rather than a referral) was only visible within an area that was covered by the GFW. Geoff Huston _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
