On Mon, Nov 8, 2021 at 10:13 AM Paul Hoffman <[email protected]> wrote:
> Did you investigate whether the impersonation persisted after the route > leak was fixed? That is, if someone is impersonating K-root for the vantage > points that you saw, they might be doing it all the time, not just when > there is a known route leak. A route leak makes impersonation easier, but > it is not a requirement. > That's a good point! I just re-ran the measurements: ``` blaeu-resolve -m 33234036 -q A d.ns.facebook.com [] : 16 occurrences [185.89.219.12] : 2 occurrences Test #33234036 done at 2021-11-08T18:14:39Z ``` The 2 occurrences returning `185.89.219.12` are the ones I mentioned earlier which seem to funnel everything to a local server. One of the original probe did not participate. Looking at server ids: ``` blaeu-resolve -m 33234039 -q TXT id.server ["ns1.vn-han.k.ripe.net"] : 1 occurrences ["ns3.us-mia.k.ripe.net"] : 4 occurrences ["ns1.us-mia.k.ripe.net"] : 3 occurrences ["ns1.ru-led.k.ripe.net"] : 2 occurrences ["ns2.us-mia.k.ripe.net"] : 4 occurrences [ERROR: NOTIMP] : 1 occurrences ["ns1.ch-gva.k.ripe.net"] : 1 occurrences [ERROR: SERVFAIL] : 1 occurrences ["ns1.gb-lon.k.ripe.net"] : 1 occurrences Test #33234039 done at 2021-11-08T18:15:35Z ``` The 4 originally impacted probes are going to MIA: ``` blaeu-resolve -m 33234048 -q TXT id.server ["ns3.us-mia.k.ripe.net"] : 1 occurrences ["ns2.us-mia.k.ripe.net"] : 1 occurrences ["ns1.us-mia.k.ripe.net"] : 1 occurrences Test #33234048 done at 2021-11-08T18:22:25Z ``` One of the original probes did not participate. Manu --Paul Hoffman
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
