[AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

Benjamin Ricardo ben.ricardo at acs.net.au
Thu Jun 1 20:04:13 EST 2017 

Yep that’s a pretty good summary of the results.
The relative domain (or someone just forgetting the remaining period . ) used to catch us all the time about 19 years ago when we first started out with our first Bind server. Nothing like a few MX entries resolving as host.domain.com.domain.com. to teach you about that in a hurry.

The interesting difference here was finding out that nslookup behaved as I described and yet a ping or traceroute resolved correctly.

You of course are correct. Add the remaining “.” With nslookup and you’re all good.


From: Mark Smith [mailto:markzzzsmith at gmail.com]
Sent: Thursday, 1 June 2017 6:04 PM
To: Benjamin Ricardo <ben.ricardo at acs.net.au>
Cc: Nick Marsham <nick at c2conline.com.au>; <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

What you're seeing is quite expected, you're providing a relative domain name not an absolute one. Since it is relative, then the DNS resolver will try to use the list of search domains it has to resolve it.

The purpose of providing a domain to a client e.g. via DHCP is so that relative names can be used for things.

In the ISP world, it would be so that customers can type "mail" rather than "mail.isp.com<http://mail.isp.com>". I don't think that is really much value anymore, as the only place people commonly type domain names its into their web browser, and they're full domain names outside the ISP's name space, even though they're technically not fully qualified - a fully qualified domain name has a dot on the end e.g. "mail.isp.com<http://mail.isp.com>.". Also, ISPs provide full (relative) names on settings pages too.

So you have the following options

(a) always use fully qualified domain names i.e. ones that have dots on the end - which is impractical because it will be hard to change end user behaviour.

(b) work out where your resolver relative search list is and stop it listing .com.au. Something to try is to have a single search domain of '.', which would make all relative domain names absolute ones upon the first resolution attempt.

Try your nslookup query with a dot on the end and it should either entirely succeed or entirely fail on the first resolution attempt.


On 1 Jun. 2017 17:38, "Benjamin Ricardo" <ben.ricardo at acs.net.au<mailto:ben.ricardo at acs.net.au>> wrote:
Ahh yes I hadn’t thought of the catchall.

You are correct Nick there is still an old 2003 DC in this domain and yes since Win7 / Server2k8r2 the devolution level criteria has changed– this will have been the issue I guess.
I thought the client controlled the DNS Devolution level though and these clients are Win10?

Win10 client querying against a 2008R2 DNS Servers

Example (you asked for it)

PS C:\> nslookup
Default Server:  nameserver
Address:  192.168.23.10

> set debug
> vpn.somedomain.com<http://vpn.somedomain.com>
Server:  nameserver
Address:  192.168.23.10

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        vpn.somedomain.com.somedomain.com.au<http://vpn.somedomain.com.somedomain.com.au>, type = A, class = IN
    AUTHORITY RECORDS:
    ->  somedomain.com.au<http://somedomain.com.au>
        ttl = 3600 (1 hour)
        primary name server = sterdevel.somedomain.com.au<http://sterdevel.somedomain.com.au>
        responsible mail addr = hostmaster. somedomain.com.au<http://somedomain.com.au>
        serial  = 185662
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        vpn. somedomain.com<http://somedomain.com>. somedomain.com.au<http://somedomain.com.au>, type = A, class = IN
    AUTHORITY RECORDS:
    ->  somedomain.com.au<http://somedomain.com.au>
        ttl = 3600 (1 hour)
        primary name server = sterdevel. somedomain.com.au<http://somedomain.com.au>
        responsible mail addr = hostmaster. somedomain.com.au<http://somedomain.com.au>
        serial  = 185662
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        vpn. somedomain.com.com.au<http://somedomain.com.com.au>, type = A, class = IN
    ANSWERS:
    ->  vpn. somedomain.com.com.au<http://somedomain.com.com.au>
        internet address = 192.185.161.219
        ttl = 4021 (1 hour 7 mins 1 sec)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        vpn. somedomain.com.com.au<http://somedomain.com.com.au>, type = A, class = IN
    AUTHORITY RECORDS:
    ->  com.com.au<http://com.com.au>
        ttl = 900 (15 mins)
        primary name server = ns1255.websitewelcome.com<http://ns1255.websitewelcome.com>
        responsible mail addr = root.harrier.websitewelcome.com<http://root.harrier.websitewelcome.com>
        serial  = 2017051610<tel:(201)%20705-1610>
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 3600000 (41 days 16 hours)
        default TTL = 86400 (1 day)

------------
Name:    vpn. somedomain.com.com.au<http://somedomain.com.com.au>
Address:  192.185.161.219                            <- this is the wrong address

>


From: Nick Marsham [mailto:nick at c2conline.com.au<mailto:nick at c2conline.com.au>]
Sent: Thursday, 1 June 2017 3:52 PM
To: Benjamin Ricardo <ben.ricardo at acs.net.au<mailto:ben.ricardo at acs.net.au>>; 'Ausnog' <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: RE: [AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

DNS devolution in AD domains in all supported versions of Windows doesn’t proceed past the FQDN of the forest root domain, so the only way you could get into this exact scenario is by your FRD configured as “com.au”, or to have a global search suffix list configured which includes the suffix “com.au”, since global search suffix lists override devolution.

If you‘re able to provide me an example of how devolution could actually cause the scenario you suggest in Windows 7/Server 2008R2 or newer, I’d be very interested.

It’s also important to note that the owner com.com.au<http://com.com.au> is not explicitly “registering” A records in order to catch big-name companies: Their DNS server simply has a ‘catchall’ which returns a landing page.

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Benjamin Ricardo
Sent: Thursday, 1 June 2017 3:36 PM
To: 'Ausnog' <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: [AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

HI All,
Looking for thoughts on something that we uncovered today in the wild (heard about it years ago but never seen it) regarding internal company domains that are using public .com.au domain suffixes and whether there’s something that should be done here.

The issue is caused by Microsofts Primary DNSSuffix Devolution and the potential for legitimate traffic to be redirected to the owner of the domain “com.com.au.” if your machine has a domain name of “somehostname.somedomainname.com.au<http://somehostname.somedomainname.com.au>”
It is possible in this situation for a non-qualified query to do the following:

ibm.com.somehostname.somedomainname.com.au<http://ibm.com.somehostname.somedomainname.com.au>     (NXDOMAIN)
ibm.com.somedomainname.com.au<http://ibm.com.somedomainname.com.au>                                      (NXDOMAIN)
ibm.com.com.au<http://ibm.com.com.au>                                                                              (NOERROR)

You can see the vulnerability.
The problem is now that it appears that the owner of the domain “com.com.au<http://com.com.au>” has started to register A records for big name domains such as .ibm.com<http://ibm.com> in the hope of catching non-fully qualified queries to these addresses.

I can only think that this is going to end badly for people.
Is this the sort of thing that could be flagged as abuse?

Appreciate any comments.

Ben


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170601/5a3a4a81/attachment-0001.html>

More information about the AusNOG mailing list