On Sat, Nov 6, 2021 at 12:57 PM Geoff Huston <[email protected]> wrote: > > > > On 7 Nov 2021, at 2:53 am, Paul Hoffman <[email protected]> wrote: > > > > On Nov 5, 2021, at 9:13 PM, Manu Bretelle <[email protected]> wrote: > >> > >> Looking a bit more into it: > >> > >> Querying d.ns.facebook.com/A against k-root directly from MX probes: > >> https://atlas.ripe.net/measurements/33184386/ > >> ``` > >> $ blaeu-resolve -m 33184386 -q A d.ns.facebook.com > >> [] : 13 occurrences > >> [202.160.128.195] : 1 occurrences > >> [199.59.148.97] : 1 occurrences > >> [185.89.219.12] : 2 occurrences > >> [31.13.96.193] : 1 occurrences > >> [208.77.47.172] : 1 occurrences > >> Test #33184386 done at 2021-11-05T20:36:59Z > >> ``` > >> > >> Getting an answer in the first place is kind of unexpected > > > > Not "kind of": definitely. d.ns.facebook.com is not in the root zone, > so no root server will answer with it. > > > > This does not sound like leaking, it sounds like impersonation. (I say > this without doing the level of research you clearly have done!) That is, a > K-root instance inside or outside of $country would reply to a query for " > d.ns.facebook.com" with a referral, not an answer. Thus, if you are > sending that query to one of the IP addresses for $x.root-servers.net and > you get an A record back, the host you are hitting is not run by one of the > root server operators. > > > I must agree with Paul. This is not a root server, its impersonation. DNS > query interception been observed within China for years - here’s a dig > result I recorded in 2013 when I was in China for an APNIC conference >
Thanks Geoff, Yeah, I reply to Paul's message earlier that this was likely leak **and** impersonation. I believe back in 2013 there were no root servers in China, but there is now. What seemed (now fixed) to happen per the traceroutes in ripe-atlas report --renderer traceroute --traceroute-show-asns 33184963 was that traffic from MX transiting through AS22908 would then go through AS4134 (China Telecom Backbone) -> AS58466 (Chinanet Guangdong province) -> AS25152 (RIPE) to get to k-root. So this is what I call the leak, which had a side effect of impersonation probably for the same reasons as your 2013 dig trace. Manu > > $ dig @m.root-servers.net www.facebook.com > ; <<>> DiG 9.9.3-P1 <<>> @m.root-servers.net. www.facebook.com > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3195 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;www.facebook.com IN A > > ;; ANSWER SECTION: www.facebook.com. 300 IN A 255.255.255.255 > ;; Query time: 38 msec > ;; SERVER: 2001:dc3::35#53(2001:dc3::35) > ;; WHEN: Tue Aug 27 19:07:12 EST 2013 > ;; MSG SIZE rcvd: 50 > > > Normally this behaviour (where a query to a root server address received a > response rather than a referral) was only visible within an area that was > covered by the GFW. > > Geoff Huston > >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
