MoinQ:

アクセス制限中

1. DNS/毒盛/AncillaryDataAttacks/1.1.1.1

1.1. otsuka0752 の指摘

https://twitter.com/otsuka0752/status/1272178155449614341?s=20

$ dig +short TXT cf1111.tcpreplay\.net. @\1.1.1.1
"!!! FAKE DANGER !!!"

1.1.1.1 が危険なことは危険だが、危険の内容が問題だ。-- ToshinoriMaeno 2020-06-19 22:38:08

knot-resolver(1.1.1.1) のキャッシュの構成はBIND/Unboundのそれとは異なる。

重要なのは 8.8.8.8, 9.9.9.9などでは発生しないこと。BIND/Unboudキャッシュでも起きていないこと。

cf1111.tcpreplay.net ゾーンは毒盛されている。しかし、それ以上ではない。

/glocalism.jp は value-domain DNSサービスを攻撃に利用できることを示している。

/攻撃例

ns1.tcpreplay.net.      172800  IN      A       52.213.198.181
ns2.tcpreplay.net.      172800  IN      A       52.213.198.181
ns3.tcpreplay.net.      172800  IN      A       52.213.198.181
ns4.tcpreplay.net.      172800  IN      A       52.213.198.181

;; AUTHORITY SECTION:
117yen.com.             172800  IN      NS      ns1.117yen.com.
117yen.com.             172800  IN      NS      ns2.117yen.com.
117yen.com.             172800  IN      NS      ns3.117yen.com.
117yen.com.             172800  IN      NS      ns4.117yen.com.

;; ADDITIONAL SECTION:
ns1.117yen.com.         172800  IN      A       205.251.192.51
ns2.117yen.com.         172800  IN      A       205.251.194.2
ns3.117yen.com.         172800  IN      A       205.251.197.220
ns4.117yen.com.         172800  IN      A       205.251.199.228

$ dig -t txt cf1111.tcpreplay.net @ns1.tcpreplay.net

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> -t txt cf1111.tcpreplay.net @ns1.tcpreplay.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10154
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e4077b83b5764d01857912cc5eec7786e05b1bdaa9585ba6 (good)
;; QUESTION SECTION:
;cf1111.tcpreplay.net.          IN      TXT

;; AUTHORITY SECTION:
cf1111.tcpreplay.net.   300     IN      NS      ns-out.out.117yen.com.

;; ADDITIONAL SECTION:
ns-out.out.117yen.com.  170     IN      A       63.35.157.66

;; Query time: 261 msec
;; SERVER: 52.213.198.181#53(52.213.198.181)
;; WHEN: Fri Jun 19 17:29:58 JST 2020
;; MSG SIZE  rcvd: 128

ここのadditional section Aは偽データ。

$ dig -t a ns-out.out.117yen.com @ns.out.117yen.com.

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> -t a ns-out.out.117yen.com @ns.out.117yen.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27631
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0858b97dad17148765f169bd5eec7a426a627e776e5aadb4 (good)
;; QUESTION SECTION:
;ns-out.out.117yen.com.         IN      A

;; ANSWER SECTION:
ns-out.out.117yen.com.  30      IN      A       54.77.128.254

;; AUTHORITY SECTION:
out.117yen.com.         30      IN      NS      ns.out.117yen.com.

;; ADDITIONAL SECTION:
ns.out.117yen.com.      30      IN      A       34.255.69.36

;; Query time: 269 msec
;; SERVER: 34.255.69.36#53(34.255.69.36)
;; WHEN: Fri Jun 19 17:41:38 JST 2020
;; MSG SIZE  rcvd: 127