[AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

Benjamin Ricardo ben.ricardo at acs.net.au
Thu Jun 1 17:37:45 EST 2017


Ahh yes I hadn't thought of the catchall.

You are correct Nick there is still an old 2003 DC in this domain and yes since Win7 / Server2k8r2 the devolution level criteria has changed- this will have been the issue I guess.
I thought the client controlled the DNS Devolution level though and these clients are Win10?

Win10 client querying against a 2008R2 DNS Servers

Example (you asked for it)

PS C:\> nslookup
Default Server:  nameserver
Address:  192.168.23.10

> set debug
> vpn.somedomain.com
Server:  nameserver
Address:  192.168.23.10

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        vpn.somedomain.com.somedomain.com.au, type = A, class = IN
    AUTHORITY RECORDS:
    ->  somedomain.com.au
        ttl = 3600 (1 hour)
        primary name server = sterdevel.somedomain.com.au
        responsible mail addr = hostmaster. somedomain.com.au
        serial  = 185662
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        vpn. somedomain.com. somedomain.com.au, type = A, class = IN
    AUTHORITY RECORDS:
    ->  somedomain.com.au
        ttl = 3600 (1 hour)
        primary name server = sterdevel. somedomain.com.au
        responsible mail addr = hostmaster. somedomain.com.au
        serial  = 185662
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        vpn. somedomain.com.com.au, type = A, class = IN
    ANSWERS:
    ->  vpn. somedomain.com.com.au
        internet address = 192.185.161.219
        ttl = 4021 (1 hour 7 mins 1 sec)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        vpn. somedomain.com.com.au, type = A, class = IN
    AUTHORITY RECORDS:
    ->  com.com.au
        ttl = 900 (15 mins)
        primary name server = ns1255.websitewelcome.com
        responsible mail addr = root.harrier.websitewelcome.com
        serial  = 2017051610
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 3600000 (41 days 16 hours)
        default TTL = 86400 (1 day)

------------
Name:    vpn. somedomain.com.com.au
Address:  192.185.161.219                            <- this is the wrong address

>


From: Nick Marsham [mailto:nick at c2conline.com.au]
Sent: Thursday, 1 June 2017 3:52 PM
To: Benjamin Ricardo <ben.ricardo at acs.net.au>; 'Ausnog' <ausnog at lists.ausnog.net>
Subject: RE: [AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

DNS devolution in AD domains in all supported versions of Windows doesn't proceed past the FQDN of the forest root domain, so the only way you could get into this exact scenario is by your FRD configured as "com.au", or to have a global search suffix list configured which includes the suffix "com.au", since global search suffix lists override devolution.

If you're able to provide me an example of how devolution could actually cause the scenario you suggest in Windows 7/Server 2008R2 or newer, I'd be very interested.

It's also important to note that the owner com.com.au is not explicitly "registering" A records in order to catch big-name companies: Their DNS server simply has a 'catchall' which returns a landing page.

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Benjamin Ricardo
Sent: Thursday, 1 June 2017 3:36 PM
To: 'Ausnog' <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: [AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

HI All,
Looking for thoughts on something that we uncovered today in the wild (heard about it years ago but never seen it) regarding internal company domains that are using public .com.au domain suffixes and whether there's something that should be done here.

The issue is caused by Microsofts Primary DNSSuffix Devolution and the potential for legitimate traffic to be redirected to the owner of the domain "com.com.au." if your machine has a domain name of "somehostname.somedomainname.com.au"
It is possible in this situation for a non-qualified query to do the following:

ibm.com.somehostname.somedomainname.com.au     (NXDOMAIN)
ibm.com.somedomainname.com.au                                      (NXDOMAIN)
ibm.com.com.au                                                                              (NOERROR)

You can see the vulnerability.
The problem is now that it appears that the owner of the domain "com.com.au" has started to register A records for big name domains such as .ibm.com in the hope of catching non-fully qualified queries to these addresses.

I can only think that this is going to end badly for people.
Is this the sort of thing that could be flagged as abuse?

Appreciate any comments.

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170601/d20be012/attachment.html>


More information about the AusNOG mailing list