Interesting new dns failures

An odd pattern of DNS failures began appearing in the logs yesterday:

May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns5.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns4.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns3.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns2.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns13.uzmores.com)
...
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns8.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns7.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns6.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns4.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns2.loptran.com)
...
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns7.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns5.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns9.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns12.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns3.dsinlet.com)
...
  (All multiplied by a factor of 10)

Very odd to see a dozen nameservers for several new and obscure
domains. Does this look like a rat?

The apparently misconfigured domains are served by a single registrar,
estdomains.com. (whois -h whois.estdomains.com
..., Registration Service Provided By: N/A, Contact:
+876.784848888). Certainly smells like a rat.

Most of the individual nameservers do not answer queries, the ones
that do are open to recursion, and all are hosted in cable/dsl/dial-up
address space with correspondingly rfc-illegal reverse zones. Running
'host -at ns' a few times shows the list of nameservers is rotated
every few seconds, and occasionally returns "server localhost".

Obviously a rat, but the pattern brings up a number of questions. Are
these spoofed queries and replies? If not, have any root nameservers
been hacked? Do the queries exploit known named vulnerabilities? What
ICANN policy might address this? Finally, what, if anything, are DNS
admins doing about it?

If not, have any root nameservers been hacked?

To partly answer my own question, no. The data returned by root
(gtld) nameservers is not changing rapidly. Thanks for the pointers
to "fast flux" too. Wasn't familiar with this attack or terminology.

All the same, it would seem to be an easy and cheap abuse to address,
at the gtlds. Why are these obvious trojans are being propagated by
the root servers anyhow?

the root servers are responsible how exactly for the fast-flux issues?
Also, there might be some legittimate business that uses something like
the FF techniques... but, uhm... how are the root servers involved again?

All the same, it would seem to be an easy and cheap abuse to address,
at the gtlds. Why are these obvious trojans are being propagated by
the root servers anyhow?

the root servers are responsible how exactly for the fast-flux issues?
Also, there might be some legittimate business that uses something like
the FF techniques... but, uhm... how are the root servers involved again?

Nobody's saying that the root servers are responsible, only that they
are the point at which these domains would have to be squelched. In
theory registrars could do this, but some would have a financial
incentive not to. Also I don't believe registrars can update the roots
quickly enough to be effective (correct me if I'm wrong).

Given the obvious differences between legitimate fast flux and the
pattern/domains in question it would seem to be a no-brainer,
technically at least.

>> All the same, it would seem to be an easy and cheap abuse to address,
>> at the gtlds. Why are these obvious trojans are being propagated by
>> the root servers anyhow?
>
> the root servers are responsible how exactly for the fast-flux issues?
> Also, there might be some legittimate business that uses something like
> the FF techniques... but, uhm... how are the root servers involved again?

Nobody's saying that the root servers are responsible, only that they

but you said it:

"at the gtlds. Why are these obvious trojans are being propagated by
the root servers anyhow?"

are the point at which these domains would have to be squelched. In
theory registrars could do this, but some would have a financial
incentive not to. Also I don't believe registrars can update the roots
quickly enough to be effective (correct me if I'm wrong).

I think you really mean 'TLD' not 'root'... I think, from playing this
game once or twice myself, the flow starts with the registrar to the
registry (in your example estdomains is the registrar and Verisign is the
registry). i think it pretty much stops there. i suppose you COULD get
ICANN to spank someone, but that's going to take a LONG time to
accomplish. (I think atleast)

Given the obvious differences between legitimate fast flux and the
pattern/domains in question it would seem to be a no-brainer,
technically at least.

hrm... I don't think it's a technical stumbling block, though trying to
pre-know who's bad and who's not might get you in trouble (say I register
the domain lakjdauejalkasu91er.com and fast-flux it for my own 'good' use,
how's that different from 'uzmores.com' ?).

Anyway... I don't disagree that there ought to be a hammer here and it
ought to be applied. I'm just not sure it's as simple as it appears at
first blush.

Some have a financial incentive not to do it.
Some others have no financial incentive to do it.
Almost none have a financial incentive to do it.

Nobody should be surprised at the outcome....

a message of 15 lines which said:

>If not, have any root nameservers been hacked?

To partly answer my own question, no.

I cannot find the original message in my mailbox. (Not on NANOG
mailing list archives.) What was the issue?

The data returned by root (gtld) nameservers is not changing
rapidly.

Now, I understand nothing. Is there a problem with the root
nameservers or with some gTLD nameservers???

In article <20070521081322.GA741@nic.fr> you write:

a message of 15 lines which said:

>If not, have any root nameservers been hacked?

To partly answer my own question, no.

I cannot find the original message in my mailbox. (Not on NANOG
mailing list archives.) What was the issue?

The data returned by root (gtld) nameservers is not changing
rapidly.

Now, I understand nothing. Is there a problem with the root
nameservers or with some gTLD nameservers???

  There isn't a problem with the root or tld servers.

  There is a problem with the server for these zones.
  They don't speak RFC 1034, hence the error messages
  about garbage responses.

  Note the answer doesn't match the question.

; <<>> DiG 9.5.0a2 <<>> @76.183.141.203 ns6.loptran.com +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36800
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns6.loptran.com. IN A

;; ANSWER SECTION:
loptran.com. 0 IN A 24.218.122.218

;; Query time: 212 msec
;; SERVER: 76.183.141.203#53(76.183.141.203)
;; WHEN: Mon May 21 19:05:58 2007
;; MSG SIZE rcvd: 60

  There is a problem with the whole delegation process in
  that no one involved in the delegation seems to care that
  absolute garbage is being injected into the DNS. A few
  simple checks, like above, would have show that the servers
  were not RFC 1034 compliant. That the glue was not a copy
  of the records in the child zone. The parent *is* required
  by RFC 1034 to check this.

  RFC 1034, 4.2.2. Administrative considerations, paragraph 3.

As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone. The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.

  These zones should be pulled.

  Mark

>>All the same, it would seem to be an easy and cheap abuse to address,
>>at the gtlds. Why are these obvious trojans are being propagated by
>>the root servers anyhow?
>
>the root servers are responsible how exactly for the fast-flux issues?
>Also, there might be some legittimate business that uses something like
>the FF techniques... but, uhm... how are the root servers involved again?

Nobody's saying that the root servers are responsible, only that they
are the point at which these domains would have to be squelched. In
theory registrars could do this, but some would have a financial
incentive not to. Also I don't believe registrars can update the roots
quickly enough to be effective (correct me if I'm wrong).

  ok... so you suggest that the roots squelch these domains?
  i check the contents of the root zone and find that the closest
  the roots come to being able to squelch these zones is to
  remove .com from the zone (since these other entries are not in
  the root but in the com zone).

  if you can get concensus to remove .com, i'm sure the roots would
  be willing to help out.

--bill

Fastflux.

  Gadi.

Small note: For regular fastflux, yes. for NS fastflux, not so much.

There is the issue of fastflux, and the possible solution of blacklisting
at the TLDs.

Both completely separate issues for discussion-sake, as flames can be
avoided.

  Gadi.

Whose bright idea *was* it to design a tree-hierarchical structure, and then
dump essentially all 140 million entries under the same node, anyhow? :slight_smile:

I'll bet a large pizza that 90% or more could be relocated to a more
appropriate location in the DNS tree, and nobody except the domain holder
and less than a dozen other people will notice/care in the slightest. Now
if anybody has a good idea on what to do with those companies that register
www.thissummersblockbustermoviecomingsoonnow.com :wink:

There's an interesting read from NRIC about this problem: "Signposts on
the information superhighway" I think it's called. Essentially no one
aside from propeller-head folks understand that there is something aside
from 'com' :frowning: take, for example, discussions inside the company formerly
known as uunet about email addresses: "Yes, you can email me at
chris@uu.net", "uunet.com?", "no, uu.net", "uu.net.com?", "nope, just
uu.net". Admittedly it was with sales/marketting folks, but still :frowning:

I wonder how the .de or .uk folks see things? Is the same true elsewhere?

-Chris

There's an interesting read from NRIC about this problem:
"Signposts on the information superhighway" I think it's
called. Essentially no one aside from propeller-head folks
understand that there is something aside from 'com'

Seems to me they are missing something here. Essentially no-on except
from propeller-head folks uses the DNS for anything at all. Websites
come from Google or bookmarks. Email addresses come from a directory or
an incoming email or a business card.

As for .xx domains, there is enough marketing material in each country
so that people tend to know their country's two-letter prefix is .de or
.ru or .fr. The special case is .uk because we share the same language
as the USA, and here people tend to see a .com domain like an
international trademark or some kind of terrirtorial marking.
Nevertheless, I think that the vast majority of people who actually type
in a domain into the location field are copying it from some marketing
material, like a business card.

P.S., the .xx domains make the world look like a collection of countries
all connected to the same Internet. But the reality is that the world is
divided into a bunch of language zones, most of which cross several
borders, and which don't tend to communicate much with the Internet that
Americans see. For instance, what use does a Hungarian speaking native
of Ukraine have for cnn.com? Or a SerboCroatian speaking native of
Hungary?

--Michael Dillon

> There's an interesting read from NRIC about this problem:
> "Signposts on the information superhighway" I think it's
> called. Essentially no one aside from propeller-head folks
> understand that there is something aside from 'com'

Seems to me they are missing something here. Essentially no-on except
from propeller-head folks uses the DNS for anything at all. Websites
come from Google or bookmarks. Email addresses come from a directory or
an incoming email or a business card.

This is sort of the point of the NRIC document/book... 'we need to
find/make/use a directory system for the internet' then much talk of how
"dns was supposed to be that but for a number of reasons it's not,
google/<insert favorite search engine> is instead"

P.S., the .xx domains make the world look like a collection of countries
all connected to the same Internet. But the reality is that the world is
divided into a bunch of language zones, most of which cross several
borders, and which don't tend to communicate much with the Internet that
Americans see. For instance, what use does a Hungarian speaking native
of Ukraine have for cnn.com? Or a SerboCroatian speaking native of
Hungary?

oh, cnn doesn't publish their content in these tongues? :slight_smile: they are
missing a marketting opportunity! :slight_smile:

-Chris

For regular FF 'yes' but for ns FF not much? Hrm, not much legit purpose?
or not much the root/tld folks can do?

I ask because essentially akamai's edgesuite (and I might have their
product names confused some) seems to do FF ... or the same thing FF does.
Doesn't it?

-Chris

There's an interesting read from NRIC about this problem: "Signposts on
the information superhighway" I think it's called. Essentially no one
aside from propeller-head folks understand that there is something aside
from 'com' :frowning: take, for example, discussions inside the company formerly
known as uunet about email addresses: "Yes, you can email me at
chris@uu.net", "uunet.com?", "no, uu.net", "uu.net.com?", "nope, just
uu.net". Admittedly it was with sales/marketting folks, but still :frowning:

To a great degree, there effectively stopped being anything outside .com
when there stopped being any distinction between who was eligable for
.com, .net or .org, and it just became a "credit card, please"
free-for-all.

I can't imagine anyone now registering a new .com and *not* registering
the corresponding .org and .net, making them pretty much pointless for new
registrations. It's only legacy domains, and occasional gap-finding in
legacy registrations, where the registrant isn't the same for all three.

I wonder how the .de or .uk folks see things? Is the same true elsewhere?

.co.uk generally seems to be understood by UK folks. .org.uk tends to
cause a double-take. (The 'special' UK SLDs, like nhs.uk, are a maze of
twisty turny third-levels, all on different logic).

My email confuses people by being both a .org and too short - the general
public seems to expect either firstname.lastname@company.com or
some-long-random-attempt-to-sound-cool-with-numbers-because-100-other-people-had-the-same-idea@{yahoo,gmail}.com.

I think the phenomenon of "that doesn't look right because it doesn't end in .com" is peculiar to the US.

Elsewhere, you don't need a particularly large TLD zone to get mindshare -- NZ, CA and NP are three random examples of ccTLDs which are well-recognised locally and which are far smaller than UK or DE; there are many more.

Joe

The odd thing is customers mostly fall into either;

I don't understand anything beyond ".com" and ".co.uk"

I'm a "gov.uk", "nhs.uk" other speciality, who often know more about the
procedures or technicalities of registering their desired domain name than we
do.

And those who just want every possible TLD, and variant, for a name, in some
misguided belief this will protect it in some magical way, and won't just
make a load of money for the registries.

We obviously prefer the last group, as they spend more money, are less hassle,
and are usually content with registering all the TLD domains we can do for
the standard price.

I'm sure there is a business in doing services to the second group, especially
if you chuck in certificates and a few related things.