[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BCP38.info
On Jan 28, 2014, at 1:50 PM, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 28 Jan 2014 08:06:31 -0500, Jared Mauch said:
>
>> 52731 ASN7922
>
>> It includes IP address where you send a DNS packet to it and another IP address responds to the query, e.g.:
>
>> The data only includes those where the ?source-ASN? and ?dest-asn? of these packets don?t match.
>
> Hang on Jared, I'm trying to wrap my head around this. You're saying that
> AS7922 has over 50K IP addresses which, if you send a DNS query to that IP,
> you get an answer back from *an entirely different ASN*? How the heck does
> *that* happen?
Yup.
> Hmm.. Comcast. Anybody over there have an explanation what's going on there?
Most of these devices are CPE that perform DNS redirection/proxy wrong because they didn't constrain their udp/53 rule in iptables to only work on the "inside" interface. They then send the packet to their configured DNS server (eg: 8.8.8.8) and rewrite the source address in the packet to be the IP address of the OpenResolverProject.org scanning server. They then spoof me to 8.8.8.8 and I get the response from there.
I have a unique QNAME per-IP i send, so I can decrypt/decode this to get the original destination to detect this.
I mentioned this in the past, so please don't act so surprised :)
http://mailman.nanog.org/pipermail/nanog/2013-August/060246.html
- Jared
- Follow-Ups:
- BCP38.info
- From: dmiller at tiggee.com (David Miller)
- BCP38.info
- From: jared at puck.nether.net (Jared Mauch)
- References:
- BCP38.info
- From: jra at baylink.com (Jay Ashworth)
- BCP38.info
- From: jared at puck.nether.net (Jared Mauch)
- BCP38.info
- From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)