1. DNS/実装/KnotDNSresolver/NXDOMAINの扱い

Kaminsky流攻撃を受けたときに、ゾーンサーバからNXDOMAINが返ってくる。 

しかし、Knot resolverはこのことを利用しているだろうか。そうではなさそうだ。

zone cut の発見に利用できるから。

-- ToshinoriMaeno 2016-03-18 00:55:04

NXDOMAIN返答は通常のキャッシュとは別に保存される。

/動作不良の振る舞い

検索例: qname minimisation に注目

$ kdig xxxxx.zzzzz.a.ns.qmail.jp @127.0.0.3

;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 43848
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0

;; QUESTION SECTION:
;; xxxxx.zzzzz.a.ns.qmail.jp.           IN      A

;; AUTHORITY SECTION:
qmail.jp.               2560    IN      SOA     a.ns.qmail.jp. hostmaster.m.qmail.jp. 1454758295 16384 2048 1048576 2560

;; Received 92 B
;; Time 2016-03-18 10:43:38 JST
;; From 127.0.0.3@53(UDP) in 36.8 ms

 [plan] plan 'xxxxx.zzzzz.a.ns.qmail.jp.' type 'A'
[resl]   => using root hints
[resl]   => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS'
[resl]      optional: '199.7.83.42' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS'
[resl]      optional: '193.0.14.129' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS'
[resl]      optional: '192.58.128.30' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS'
[iter]   <= referral response, follow
[resl]   <= server: '202.12.27.33' rtt: 6 ms

[resl]   => querying: '203.119.40.1' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS'
[resl]      optional: '150.100.6.8' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS'
[resl]      optional: '192.50.43.53' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS'
[resl]      optional: '210.138.175.244' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS'
[iter]   <= referral response, follow
[resl]   <= server: '203.119.40.1' rtt: 5 ms

[resl]   => querying: '14.192.44.5' score: 10 zone cut: 'qmail.jp.' m12n: 'Ns.QmaiL.jp.' type: 'NS'
[iter]   <= rcode: NOERROR
[iter]   <= found cut, retrying with non-minimized name
[ pc ]   => answer cached for TTL=900
[resl]   <= server: '14.192.44.5' rtt: 11 ms

[resl]   => querying: '14.192.44.5' score: 11 zone cut: 'qmail.jp.' m12n: 'XxxXx.ZzZzz.A.Ns.qMaIl.Jp.' type: 'A'
[iter]   <= rcode: NXDOMAIN
[ pc ]   => answer cached for TTL=900
[resl]   <= server: '14.192.44.5' rtt: 11 ms
[resl] finished: 4, queries: 1, mempool: 16400 B


$ kdig yyyy.zzzzz.a.ns.qmail.jp @127.0.0.3

;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 39862
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0

;; QUESTION SECTION:
;; yyyy.zzzzz.a.ns.qmail.jp.            IN      A

;; AUTHORITY SECTION:
qmail.jp.               2560    IN      SOA     a.ns.qmail.jp. hostmaster.m.qmail.jp. 1454758295 16384 2048 1048576 2560

;; Received 91 B
;; Time 2016-03-18 10:46:54 JST
;; From 127.0.0.3@53(UDP) in 12.9 ms

[plan] plan 'yyyy.zzzzz.a.ns.qmail.jp.' type 'A'
[resl]   => querying: '14.192.44.5' score: 11 zone cut: 'qmail.jp.' m12n: 'Yyyy.zzZzz.a.nS.QMAiL.JP.' type: 'A'
[iter]   <= rcode: NXDOMAIN
[ pc ]   => answer cached for TTL=900
[resl]   <= server: '14.192.44.5' rtt: 12 ms
[resl] finished: 4, queries: 1, mempool: 16400 B


ns.qmail.jp にNSがないことはキャッシュされている!

$ kdig ns ns.qmail.jp @127.0.0.3

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 25085
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0

;; QUESTION SECTION:
;; ns.qmail.jp.                 IN      NS

;; AUTHORITY SECTION:
qmail.jp.               2273    IN      SOA     a.ns.qmail.jp. hostmaster.m.qmail.jp. 1454758295 16384 2048 1048576 2560

;; Received 80 B
;; Time 2016-03-18 10:48:25 JST
;; From 127.0.0.3@53(UDP) in 0.3 ms

[plan] plan 'ns.qmail.jp.' type 'NS'
[ pc ]   => satisfied from cache
[iter]   <= rcode: NOERROR
[resl] finished: 4, queries: 1, mempool: 16400 B