[AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

Mark Smith markzzzsmith at gmail.com
Thu Jun 1 18:03:30 EST 2017 

What you're seeing is quite expected, you're providing a relative domain
name not an absolute one. Since it is relative, then the DNS resolver will
try to use the list of search domains it has to resolve it.

The purpose of providing a domain to a client e.g. via DHCP is so that
relative names can be used for things.

In the ISP world, it would be so that customers can type "mail" rather than
"mail.isp.com". I don't think that is really much value anymore, as the
only place people commonly type domain names its into their web browser,
and they're full domain names outside the ISP's name space, even though
they're technically not fully qualified - a fully qualified domain name has
a dot on the end e.g. "mail.isp.com.". Also, ISPs provide full (relative)
names on settings pages too.

So you have the following options

(a) always use fully qualified domain names i.e. ones that have dots on the
end - which is impractical because it will be hard to change end user
behaviour.

(b) work out where your resolver relative search list is and stop it
listing .com.au. Something to try is to have a single search domain of '.',
which would make all relative domain names absolute ones upon the first
resolution attempt.

Try your nslookup query with a dot on the end and it should either entirely
succeed or entirely fail on the first resolution attempt.


On 1 Jun. 2017 17:38, "Benjamin Ricardo" <ben.ricardo at acs.net.au> wrote:

Ahh yes I hadn’t thought of the catchall.



You are correct Nick there is still an old 2003 DC in this domain and yes
since Win7 / Server2k8r2 the devolution level criteria has changed– this
will have been the issue I guess.

I thought the client controlled the DNS Devolution level though and these
clients are Win10?



Win10 client querying against a 2008R2 DNS Servers



Example (you asked for it)



PS C:\> nslookup

Default Server:  nameserver

Address:  192.168.23.10



> set debug

> vpn.somedomain.com

Server:  nameserver

Address:  192.168.23.10



------------

Got answer:

    HEADER:

        opcode = QUERY, id = 2, rcode = NXDOMAIN

        header flags:  response, auth. answer, want recursion, recursion
avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0



    QUESTIONS:

        vpn.somedomain.com.somedomain.com.au, type = A, class = IN

    AUTHORITY RECORDS:

    ->  somedomain.com.au

        ttl = 3600 (1 hour)

        primary name server = sterdevel.somedomain.com.au

        responsible mail addr = hostmaster. somedomain.com.au

        serial  = 185662

        refresh = 900 (15 mins)

        retry   = 600 (10 mins)

        expire  = 86400 (1 day)

        default TTL = 900 (15 mins)



------------

------------

Got answer:

    HEADER:

        opcode = QUERY, id = 3, rcode = NXDOMAIN

        header flags:  response, auth. answer, want recursion, recursion
avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0



    QUESTIONS:

        vpn. somedomain.com. somedomain.com.au, type = A, class = IN

    AUTHORITY RECORDS:

    ->  somedomain.com.au

        ttl = 3600 (1 hour)

        primary name server = sterdevel. somedomain.com.au

        responsible mail addr = hostmaster. somedomain.com.au

        serial  = 185662

        refresh = 900 (15 mins)

        retry   = 600 (10 mins)

        expire  = 86400 (1 day)

        default TTL = 900 (15 mins)



------------

------------

Got answer:

    HEADER:

        opcode = QUERY, id = 4, rcode = NOERROR

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 1,  authority records = 0,  additional = 0



    QUESTIONS:

        vpn. somedomain.com.com.au, type = A, class = IN

    ANSWERS:

    ->  vpn. somedomain.com.com.au

        internet address = 192.185.161.219

        ttl = 4021 (1 hour 7 mins 1 sec)



------------

Non-authoritative answer:

------------

Got answer:

    HEADER:

        opcode = QUERY, id = 5, rcode = NOERROR

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0



    QUESTIONS:

        vpn. somedomain.com.com.au, type = A, class = IN

    AUTHORITY RECORDS:

    ->  com.com.au

        ttl = 900 (15 mins)

        primary name server = ns1255.websitewelcome.com

        responsible mail addr = root.harrier.websitewelcome.com

        serial  = 2017051610 <(201)%20705-1610>

        refresh = 86400 (1 day)

        retry   = 7200 (2 hours)

        expire  = 3600000 (41 days 16 hours)

        default TTL = 86400 (1 day)



------------

Name:    vpn. somedomain.com.com.au

Address:  192.185.161.219                            <- this is the wrong
address



>





*From:* Nick Marsham [mailto:nick at c2conline.com.au]
*Sent:* Thursday, 1 June 2017 3:52 PM
*To:* Benjamin Ricardo <ben.ricardo at acs.net.au>; 'Ausnog' <
ausnog at lists.ausnog.net>
*Subject:* RE: [AusNOG] DNS Devolution targeting the .com.au space - should
we be worried?



DNS devolution in AD domains in all supported versions of Windows doesn’t
proceed past the FQDN of the forest root domain, so the only way you could
get into this exact scenario is by your FRD configured as “com.au”, or to
have a global search suffix list configured which includes the suffix
“com.au”, since global search suffix lists override devolution.



If you‘re able to provide me an example of how devolution could actually
cause the scenario you suggest in Windows 7/Server 2008R2 or newer, I’d be
very interested.



It’s also important to note that the owner com.com.au is not explicitly
“registering” A records in order to catch big-name companies: Their DNS
server simply has a ‘catchall’ which returns a landing page.



*From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net
<ausnog-bounces at lists.ausnog.net>] *On Behalf Of *Benjamin Ricardo
*Sent:* Thursday, 1 June 2017 3:36 PM
*To:* 'Ausnog' <ausnog at lists.ausnog.net>
*Subject:* [AusNOG] DNS Devolution targeting the .com.au space - should we
be worried?



HI All,

Looking for thoughts on something that we uncovered today in the wild
(heard about it years ago but never seen it) regarding internal company
domains that are using public .com.au domain suffixes and whether there’s
something that should be done here.



The issue is caused by Microsofts Primary DNSSuffix Devolution and the
potential for legitimate traffic to be redirected to the owner of the
domain “com.com.au.” if your machine has a domain name of “
somehostname.somedomainname.com.au”

It is possible in this situation for a non-qualified query to do the
following:



ibm.com.somehostname.somedomainname.com.au     (NXDOMAIN)

ibm.com.somedomainname.com.au
(NXDOMAIN)

ibm.com.com.au
                                (NOERROR)



You can see the vulnerability.

The problem is now that it appears that the owner of the domain “com.com.au”
has started to register A records for big name domains such as .ibm.com in
the hope of catching non-fully qualified queries to these addresses.



I can only think that this is going to end badly for people.

Is this the sort of thing that could be flagged as abuse?



Appreciate any comments.



Ben



_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170601/31d13c0c/attachment.html>

More information about the AusNOG mailing list