SlideShare a Scribd company logo

A curious case of broken dns responses - RIPE75

Babak Farrokhi
Babak Farrokhi

Talk by Babak Farrokhi on large scale DNS Sinkholing and mitigation methods Link to video: https://ripe75.ripe.net/archives/video/105/

Internet
1 of 23
Download to read offline
A curious case of broken DNS responses Babak Farrokhi RIPE 75
About me ● Unix SA (FreeBSD, Solaris, Linux) since 1996 ● IP Networking since 1997 ● FreeBSD Ports Team since 2004 ● Enthusiastic coder @farrokhi
Prologue ● When it comes to network, I always have trust issues ● Most people ignore those strange network behaviors ● Only a few people take the red pill and go down the rabbit hole...
Observation ● Outgoing SMTP fails due to MX lookup failures ○ only certain domains (e.g. twitter.com) ● Local resolver returns “incorrect” response ● Public Resolver (e.g. Google) also returned incorrect response ● I needed to look deeper into this
Down the rabbit hole...
Strange responses from public resolvers This is not what I expected to get from a public resolver: % dig +short -t A twitter.com @8.8.8.8 10.10.34.34 % dig +short -t A ripe.net @8.8.8.8 193.0.6.139 % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
Need to take a closer look Not obvious at first glance, but time delta is strange... % tcpdump -ttt -c2 -nqr ripe.pcap reading from PCAP-NG file ripe.pcap 00:00:00.000000 IP 192.168.0.132.53425 > 8.8.8.8.53: UDP, length 27 00:00:00.138933 IP 8.8.8.8.53 > 192.168.0.132.53425: UDP, length 75 % tcpdump -ttt -c2 -nqr twitter.pcap reading from PCAP-NG file twitter.pcap 00:00:00.000000 IP 192.168.0.132.58418 > 8.8.8.8.53: UDP, length 29 00:00:00.028077 IP 8.8.8.8.53 > 192.168.0.132.58418: UDP, length 45
dnsping - A new tool is born ● Started as a humble Python script to solve my own problem ● Not intended to re-invent the wheel ● Similar user experience as the legacy PING % ./dnsping.py -s 8.8.8.8 -c3 ripe.net dnsping.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 32 bytes from 8.8.8.8: seq=0 time=200.371 ms 32 bytes from 8.8.8.8: seq=1 time=217.320 ms 32 bytes from 8.8.8.8: seq=2 time=236.644 ms --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=200.371 ms, avg=218.112 ms, max=236.644 ms, stddev=18.149 ms
ICMP vs DNS Response Times % ping -q -c10 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 124.237/155.044/227.499/31.464 ms % ./dnsping.py -q -s 8.8.8.8 -c3 twitter.com dnsping.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=12.934 ms, avg=21.355 ms, max=29.425 ms, stddev=8.251 ms
First anomaly ● Different domain names being treated differently ● A rogue name server impersonating as Google Resolver ● The rogue name server is close to me (given response times) ● Where is it? And how can I find out?
dnstraceroute: Traceroute tool for DNS protocol ● Similar to legacy traceroute, but for DNS protocol ● Send out actual DNS queries and expect a response ● Using TTL trick to map the journey ● Could not use legacy traceroute with UDP probes ○ The traffic redirection is based on DNS “payload”
Real vs Rogue DNS Servers % ./dnstraceroute.py -s 8.8.8.8 ripe.net dnstraceroute.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.912 ms 2 * 3 192.168.10.105 (192.168.10.105) 15.792 ms 4 172.17.2.1 (172.17.2.1) 17.063 ms 5 172.17.2.9 (172.17.2.9) 11.245 ms 6 172.19.18.5 (172.19.18.5) 24.862 ms 7 172.19.17.2 (172.19.17.2) 18.972 ms 8 10.201.177.41 (10.201.177.41) 13.261 ms 9 10.10.53.190 (10.10.53.190) 14.240 ms 10 185.100.209.117 (185.100.209.117) 176.592 ms 11 * 12 de-cix.fra.google.com (80.81.192.108) 152.757 ms 13 108.170.251.193 (108.170.251.193) 90.347 ms 14 google-public-dns-a.google.com (8.8.8.8) 185.401 ms % ./dnstraceroute.py -s 8.8.8.8 twitter.com dnstraceroute.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.160 ms 2 * 3 192.168.10.105 (192.168.10.105) 5.985 ms 4 172.17.2.1 (172.17.2.1) 8.535 ms 5 172.17.2.9 (172.17.2.9) 20.617 ms 6 172.19.18.5 (172.19.18.5) 7.823 ms 7 * 8 * 9 google-public-dns-a.google.com (8.8.8.8) 19.557 ms
Back to the case of broken MX ● Rogue nameserver also returns “broken” responses ● Only to certain type of queries (e.g. MX) % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
Looking at packets again... ● Response to MX request is malformed ○ Server responded with PTR response ○ RDLENGTH is 3 but RDATA field contains 4 bytes ■ Additional byte was always NULL ■ Seems like a bug in code ● Queried top 10,000 domain names [1], received 139 broken responses [2]
Uncovering the rouge resolver address ● Query TXT record from maxmind.test-ipv6.com ● It tells you the public address of your resolver ○ The address should belong to Google (AS15169) ○ Anything else means MITM ● Using RIPE Atlas to see if this is a regular practice % dig +short -t TXT maxmind.test-ipv6.com @8.8.4.4 "ip='74.125.74.14' as='15169' isp='Google' country='FI'"
Is it just me? Let's ask RIPE Atlas ● 500 Probes worldwide - 484 Replied (DNS/UDP/IPv4) ○ 475 Good (Req. from Google address space) ~98% ○ 9 Bad (Req. from non-Google address space) ~2% ● Same 500 probes - 484 Replied (DNS/TCP/IPv4) ○ 479 Good ~99% ○ 5 Bad ~1%
The logic behind DNS traffic redirection
What is the motivation? There are mainly two reasons: 1. Privacy protection (The Good) ○ Prevent sending request to use have your end-point IP address as its source address ○ Filter out malwares looking for their C&C 2. DNS based service redirection (The Evil) ○ Restrict your access ○ Redirect your traffic
Countermeasures ● Force local resolver to use TCP ● DNSCrypt (dnscrypt.org) ○ OpenDNS supports it, desktop clients available ● DNS over TLS/DTLS (RFC 7858 and 8094) ○ DNS Privacy Project (dnsprivacy.org) offers tutorials, tools, recommendations and test servers ● DNSSEC ○ From top 100 domain names only 2 of them are signed [3] ○ What if the rogue nameserver does not validate DNSSEC?
Final words ● Don’t trust a public DNS resolver, use your own ○ There ain't no such thing as a free lunch (TANSTAAFL) ○ Stub resolvers are easy to setup and use (e.g. Stubby) ● Don’t trust your upstream, encrypt as much as possible ○ DNS contains important information ○ As per RFC7258: “Pervasive Monitoring Is an Attack”
Tools of the trade ● dnsping, dnstraceroute and dnseval are part of “dnsdiag toolkit” on GitHub [4] ○ Looking for feedback and ideas from community ● Combining with other tools (e.g. RIPE Atlas) to perform more complex behavior analysis ● Suggestion: dnstraceroute in RIPE Atlas probes?
Questions?
Resources [1] https://github.com/opendns/public-domain-lists [2] https://gist.github.com/farrokhi/0b56ae06813391be9164 [3] https://gist.github.com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8 [4] https://github.com/farrokhi/dnsdiag Also my articles on RIPE Labs discussion the same issue: ● https://labs.ripe.net/Members/babak_farrokhi

Recommended

Fungal diseases [penicillium and trichophyton]
Fungal diseases [penicillium and trichophyton]Fungal diseases [penicillium and trichophyton]
Fungal diseases [penicillium and trichophyton]
MAGESHWARSINGH
 
Tick and Disease caused by them.
Tick and Disease caused by them.Tick and Disease caused by them.
Tick and Disease caused by them.
Raaz Eve Mishra
 
Food poisoning.pptx
Food poisoning.pptxFood poisoning.pptx
Food poisoning.pptx
drprincealex84
 
Leishmaniasis
LeishmaniasisLeishmaniasis
LeishmaniasisDevendra Niranjan
 
8 dermatology (skin diseases)
8 dermatology (skin diseases)8 dermatology (skin diseases)
8 dermatology (skin diseases)
karima Akool AlSalihi
 
Zoonoses by protozoans
Zoonoses by protozoansZoonoses by protozoans
Zoonoses by protozoans
Neethu Kolakkadan
 
Northern and Southern blight in maize
Northern and Southern blight in maizeNorthern and Southern blight in maize
Northern and Southern blight in maize
rishi0
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
Babak Farrokhi
 

Recommended

Fungal diseases [penicillium and trichophyton]
Fungal diseases [penicillium and trichophyton]Fungal diseases [penicillium and trichophyton]
Fungal diseases [penicillium and trichophyton]
MAGESHWARSINGH
 
Tick and Disease caused by them.
Tick and Disease caused by them.Tick and Disease caused by them.
Tick and Disease caused by them.
Raaz Eve Mishra
 
Food poisoning.pptx
Food poisoning.pptxFood poisoning.pptx
Food poisoning.pptx
drprincealex84
 
Leishmaniasis
LeishmaniasisLeishmaniasis
LeishmaniasisDevendra Niranjan
 
8 dermatology (skin diseases)
8 dermatology (skin diseases)8 dermatology (skin diseases)
8 dermatology (skin diseases)
karima Akool AlSalihi
 
Zoonoses by protozoans
Zoonoses by protozoansZoonoses by protozoans
Zoonoses by protozoans
Neethu Kolakkadan
 
Northern and Southern blight in maize
Northern and Southern blight in maizeNorthern and Southern blight in maize
Northern and Southern blight in maize
rishi0
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
Babak Farrokhi
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
Alex Mayrhofer
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
APNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
Qrator Labs
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
ebalaskas
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
Olivier Bonaventure
 
Resolution for a Faster Site
Resolution for a Faster SiteResolution for a Faster Site
Resolution for a Faster Site
Ido Safruti
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
Martin Schütte
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
Servers and Processes: Behavior and Analysis
Servers and Processes: Behavior and AnalysisServers and Processes: Behavior and Analysis
Servers and Processes: Behavior and Analysisdreamwidth
 
Network commands
Network commandsNetwork commands
Network commands
Dr. Mahadev Gawas
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Seunghyun Lee
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 

More Related Content

Similar to A curious case of broken dns responses - RIPE75

Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
Alex Mayrhofer
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
APNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
Qrator Labs
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
ebalaskas
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
Olivier Bonaventure
 
Resolution for a Faster Site
Resolution for a Faster SiteResolution for a Faster Site
Resolution for a Faster Site
Ido Safruti
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
Martin Schütte
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
Servers and Processes: Behavior and Analysis
Servers and Processes: Behavior and AnalysisServers and Processes: Behavior and Analysis
Servers and Processes: Behavior and Analysisdreamwidth
 
Network commands
Network commandsNetwork commands
Network commands
Dr. Mahadev Gawas
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Seunghyun Lee
 

Similar to A curious case of broken dns responses - RIPE75 (20)

Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS Stats
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
 
Resolution for a Faster Site
Resolution for a Faster SiteResolution for a Faster Site
Resolution for a Faster Site
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Servers and Processes: Behavior and Analysis
Servers and Processes: Behavior and AnalysisServers and Processes: Behavior and Analysis
Servers and Processes: Behavior and Analysis
 
Network commands
Network commandsNetwork commands
Network commands
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
 

Recently uploaded

国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 

Recently uploaded (20)

国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 

A curious case of broken dns responses - RIPE75

  • 1. A curious case of broken DNS responses Babak Farrokhi RIPE 75
  • 2. About me ● Unix SA (FreeBSD, Solaris, Linux) since 1996 ● IP Networking since 1997 ● FreeBSD Ports Team since 2004 ● Enthusiastic coder @farrokhi
  • 3. Prologue ● When it comes to network, I always have trust issues ● Most people ignore those strange network behaviors ● Only a few people take the red pill and go down the rabbit hole...
  • 4. Observation ● Outgoing SMTP fails due to MX lookup failures ○ only certain domains (e.g. twitter.com) ● Local resolver returns “incorrect” response ● Public Resolver (e.g. Google) also returned incorrect response ● I needed to look deeper into this
  • 5. Down the rabbit hole...
  • 6. Strange responses from public resolvers This is not what I expected to get from a public resolver: % dig +short -t A twitter.com @8.8.8.8 10.10.34.34 % dig +short -t A ripe.net @8.8.8.8 193.0.6.139 % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
  • 7. Need to take a closer look Not obvious at first glance, but time delta is strange... % tcpdump -ttt -c2 -nqr ripe.pcap reading from PCAP-NG file ripe.pcap 00:00:00.000000 IP 192.168.0.132.53425 > 8.8.8.8.53: UDP, length 27 00:00:00.138933 IP 8.8.8.8.53 > 192.168.0.132.53425: UDP, length 75 % tcpdump -ttt -c2 -nqr twitter.pcap reading from PCAP-NG file twitter.pcap 00:00:00.000000 IP 192.168.0.132.58418 > 8.8.8.8.53: UDP, length 29 00:00:00.028077 IP 8.8.8.8.53 > 192.168.0.132.58418: UDP, length 45
  • 8. dnsping - A new tool is born ● Started as a humble Python script to solve my own problem ● Not intended to re-invent the wheel ● Similar user experience as the legacy PING % ./dnsping.py -s 8.8.8.8 -c3 ripe.net dnsping.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 32 bytes from 8.8.8.8: seq=0 time=200.371 ms 32 bytes from 8.8.8.8: seq=1 time=217.320 ms 32 bytes from 8.8.8.8: seq=2 time=236.644 ms --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=200.371 ms, avg=218.112 ms, max=236.644 ms, stddev=18.149 ms
  • 9. ICMP vs DNS Response Times % ping -q -c10 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 124.237/155.044/227.499/31.464 ms % ./dnsping.py -q -s 8.8.8.8 -c3 twitter.com dnsping.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=12.934 ms, avg=21.355 ms, max=29.425 ms, stddev=8.251 ms
  • 10. First anomaly ● Different domain names being treated differently ● A rogue name server impersonating as Google Resolver ● The rogue name server is close to me (given response times) ● Where is it? And how can I find out?
  • 11. dnstraceroute: Traceroute tool for DNS protocol ● Similar to legacy traceroute, but for DNS protocol ● Send out actual DNS queries and expect a response ● Using TTL trick to map the journey ● Could not use legacy traceroute with UDP probes ○ The traffic redirection is based on DNS “payload”
  • 12. Real vs Rogue DNS Servers % ./dnstraceroute.py -s 8.8.8.8 ripe.net dnstraceroute.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.912 ms 2 * 3 192.168.10.105 (192.168.10.105) 15.792 ms 4 172.17.2.1 (172.17.2.1) 17.063 ms 5 172.17.2.9 (172.17.2.9) 11.245 ms 6 172.19.18.5 (172.19.18.5) 24.862 ms 7 172.19.17.2 (172.19.17.2) 18.972 ms 8 10.201.177.41 (10.201.177.41) 13.261 ms 9 10.10.53.190 (10.10.53.190) 14.240 ms 10 185.100.209.117 (185.100.209.117) 176.592 ms 11 * 12 de-cix.fra.google.com (80.81.192.108) 152.757 ms 13 108.170.251.193 (108.170.251.193) 90.347 ms 14 google-public-dns-a.google.com (8.8.8.8) 185.401 ms % ./dnstraceroute.py -s 8.8.8.8 twitter.com dnstraceroute.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.160 ms 2 * 3 192.168.10.105 (192.168.10.105) 5.985 ms 4 172.17.2.1 (172.17.2.1) 8.535 ms 5 172.17.2.9 (172.17.2.9) 20.617 ms 6 172.19.18.5 (172.19.18.5) 7.823 ms 7 * 8 * 9 google-public-dns-a.google.com (8.8.8.8) 19.557 ms
  • 13. Back to the case of broken MX ● Rogue nameserver also returns “broken” responses ● Only to certain type of queries (e.g. MX) % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
  • 14. Looking at packets again... ● Response to MX request is malformed ○ Server responded with PTR response ○ RDLENGTH is 3 but RDATA field contains 4 bytes ■ Additional byte was always NULL ■ Seems like a bug in code ● Queried top 10,000 domain names [1], received 139 broken responses [2]
  • 15. Uncovering the rouge resolver address ● Query TXT record from maxmind.test-ipv6.com ● It tells you the public address of your resolver ○ The address should belong to Google (AS15169) ○ Anything else means MITM ● Using RIPE Atlas to see if this is a regular practice % dig +short -t TXT maxmind.test-ipv6.com @8.8.4.4 "ip='74.125.74.14' as='15169' isp='Google' country='FI'"
  • 16. Is it just me? Let's ask RIPE Atlas ● 500 Probes worldwide - 484 Replied (DNS/UDP/IPv4) ○ 475 Good (Req. from Google address space) ~98% ○ 9 Bad (Req. from non-Google address space) ~2% ● Same 500 probes - 484 Replied (DNS/TCP/IPv4) ○ 479 Good ~99% ○ 5 Bad ~1%
  • 17. The logic behind DNS traffic redirection
  • 18. What is the motivation? There are mainly two reasons: 1. Privacy protection (The Good) ○ Prevent sending request to use have your end-point IP address as its source address ○ Filter out malwares looking for their C&C 2. DNS based service redirection (The Evil) ○ Restrict your access ○ Redirect your traffic
  • 19. Countermeasures ● Force local resolver to use TCP ● DNSCrypt (dnscrypt.org) ○ OpenDNS supports it, desktop clients available ● DNS over TLS/DTLS (RFC 7858 and 8094) ○ DNS Privacy Project (dnsprivacy.org) offers tutorials, tools, recommendations and test servers ● DNSSEC ○ From top 100 domain names only 2 of them are signed [3] ○ What if the rogue nameserver does not validate DNSSEC?
  • 20. Final words ● Don’t trust a public DNS resolver, use your own ○ There ain't no such thing as a free lunch (TANSTAAFL) ○ Stub resolvers are easy to setup and use (e.g. Stubby) ● Don’t trust your upstream, encrypt as much as possible ○ DNS contains important information ○ As per RFC7258: “Pervasive Monitoring Is an Attack”
  • 21. Tools of the trade ● dnsping, dnstraceroute and dnseval are part of “dnsdiag toolkit” on GitHub [4] ○ Looking for feedback and ideas from community ● Combining with other tools (e.g. RIPE Atlas) to perform more complex behavior analysis ● Suggestion: dnstraceroute in RIPE Atlas probes?
  • 23. Resources [1] https://github.com/opendns/public-domain-lists [2] https://gist.github.com/farrokhi/0b56ae06813391be9164 [3] https://gist.github.com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8 [4] https://github.com/farrokhi/dnsdiag Also my articles on RIPE Labs discussion the same issue: ● https://labs.ripe.net/Members/babak_farrokhi