[168509] in North American Network Operators' Group
Re: BCP38.info
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Jan 28 14:16:32 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <14976.1390935007@turing-police.cc.vt.edu>
Date: Tue, 28 Jan 2014 14:16:09 -0500
To: Valdis.Kletnieks@vt.edu
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 28, 2014, at 1:50 PM, Valdis.Kletnieks@vt.edu wrote:
> On Tue, 28 Jan 2014 08:06:31 -0500, Jared Mauch said:
>=20
>> 52731 ASN7922
>=20
>> It includes IP address where you send a DNS packet to it and another =
IP address responds to the query, e.g.:
>=20
>> The data only includes those where the =93source-ASN=94 and =
=93dest-asn=94 of these packets don=92t match.
>=20
> Hang on Jared, I'm trying to wrap my head around this. You're saying =
that
> AS7922 has over 50K IP addresses which, if you send a DNS query to =
that IP,
> you get an answer back from *an entirely different ASN*? How the heck =
does
> *that* happen?
Yup.
> Hmm.. Comcast. Anybody over there have an explanation what's going on =
there?
Most of these devices are CPE that perform DNS redirection/proxy wrong =
because they didn't constrain their udp/53 rule in iptables to only work =
on the "inside" interface. They then send the packet to their =
configured DNS server (eg: 8.8.8.8) and rewrite the source address in =
the packet to be the IP address of the OpenResolverProject.org scanning =
server. They then spoof me to 8.8.8.8 and I get the response from =
there.
I have a unique QNAME per-IP i send, so I can decrypt/decode this to get =
the original destination to detect this.
I mentioned this in the past, so please don't act so surprised :)
http://mailman.nanog.org/pipermail/nanog/2013-August/060246.html
- Jared
