>> >> > > Thanks Paul, > > Yeah, agreed, "kind of" is probably not the right term to use. I > essentially did not care in this specific example of any impersonation > which is why I added "but I will not focus on the ones returning the > correct answer (e.g 185.89.219.12)". I believe there could be a bazillion > reasons why a probe would behave like that, possibly someone running their > own pi-hole and redirecting all traffic to it, or something in that vein. >
Not to go astray from the initial discussion in this thread, but closing the loop. Those 2 probes returning the "right" answer indeed seem to intercept all DNS traffic within their network to a local DNS server. ``` $ ripe-atlas report --renderer traceroute --traceroute-show-asns 33206215 Probe #51510 Sat Nov 06 13:36:43 PDT 2021 1 193.0.14.129 AS25152 8.057 ms 1.326 ms 1.258 ms Probe #51975 Sat Nov 06 13:36:42 PDT 2021 1 192.168.50.1 2.208 ms 1.742 ms 6.647 ms 2 192.168.40.1 1.11 ms * * 3 193.0.14.129 AS25152 1.689 ms 1.913 ms 1.862 ms ``` Manu > > >> >> This does not sound like leaking, it sounds like impersonation. (I say >> this without doing the level of research you clearly have done!) That is, a >> K-root instance inside or outside of $country would reply to a query for " >> d.ns.facebook.com" with a referral, not an answer. Thus, if you are >> sending that query to one of the IP addresses for $x.root-servers.net >> and you get an A record back, the host you are hitting is not run by one of >> the root server operators. >> > > To be more precise, I think it is leaking *and* impersonation. I didn't > mean to say that k-root there would answer incorrectly, but something in > between does. > > Thanks, > Manu > > >> --Paul Hoffman >> >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
