1. DNS/実装/KnotDNSresolver/NXDOMAINの扱い
Kaminsky流攻撃を受けたときに、ゾーンサーバからNXDOMAINが返ってくる。
- この情報を利用して、独盛攻撃を検出できる。防御にも使える。
しかし、Knot resolverはこのことを利用しているだろうか。そうではなさそうだ。
- 部分的には使っているらしい。(以下の例を参照) qname minimisation
zone cut の発見に利用できるから。
-- ToshinoriMaeno 2016-03-18 00:55:04
NXDOMAIN返答は通常のキャッシュとは別に保存される。
NoData返答に近い扱いだと思った方がよい。-- ToshinoriMaeno 2017-10-20 13:59:07
- qname, qtype が一致しないqueryは問い合わせを発生する。
検索例: qname minimisation に注目
$ kdig xxxxx.zzzzz.a.ns.qmail.jp @127.0.0.3
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 43848 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; xxxxx.zzzzz.a.ns.qmail.jp. IN A ;; AUTHORITY SECTION: qmail.jp. 2560 IN SOA a.ns.qmail.jp. hostmaster.m.qmail.jp. 1454758295 16384 2048 1048576 2560 ;; Received 92 B ;; Time 2016-03-18 10:43:38 JST ;; From 127.0.0.3@53(UDP) in 36.8 ms
[plan] plan 'xxxxx.zzzzz.a.ns.qmail.jp.' type 'A' [resl] => using root hints [resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS' [resl] optional: '199.7.83.42' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS' [resl] optional: '193.0.14.129' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS' [resl] optional: '192.58.128.30' score: 10 zone cut: '.' m12n: 'Jp.' type: 'NS' [iter] <= referral response, follow [resl] <= server: '202.12.27.33' rtt: 6 ms [resl] => querying: '203.119.40.1' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS' [resl] optional: '150.100.6.8' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS' [resl] optional: '192.50.43.53' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS' [resl] optional: '210.138.175.244' score: 10 zone cut: 'jp.' m12n: 'QmAiL.jP.' type: 'NS' [iter] <= referral response, follow [resl] <= server: '203.119.40.1' rtt: 5 ms [resl] => querying: '14.192.44.5' score: 10 zone cut: 'qmail.jp.' m12n: 'Ns.QmaiL.jp.' type: 'NS' [iter] <= rcode: NOERROR [iter] <= found cut, retrying with non-minimized name [ pc ] => answer cached for TTL=900 [resl] <= server: '14.192.44.5' rtt: 11 ms [resl] => querying: '14.192.44.5' score: 11 zone cut: 'qmail.jp.' m12n: 'XxxXx.ZzZzz.A.Ns.qMaIl.Jp.' type: 'A' [iter] <= rcode: NXDOMAIN [ pc ] => answer cached for TTL=900 [resl] <= server: '14.192.44.5' rtt: 11 ms [resl] finished: 4, queries: 1, mempool: 16400 B
$ kdig yyyy.zzzzz.a.ns.qmail.jp @127.0.0.3
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 39862 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; yyyy.zzzzz.a.ns.qmail.jp. IN A ;; AUTHORITY SECTION: qmail.jp. 2560 IN SOA a.ns.qmail.jp. hostmaster.m.qmail.jp. 1454758295 16384 2048 1048576 2560 ;; Received 91 B ;; Time 2016-03-18 10:46:54 JST ;; From 127.0.0.3@53(UDP) in 12.9 ms
[plan] plan 'yyyy.zzzzz.a.ns.qmail.jp.' type 'A' [resl] => querying: '14.192.44.5' score: 11 zone cut: 'qmail.jp.' m12n: 'Yyyy.zzZzz.a.nS.QMAiL.JP.' type: 'A' [iter] <= rcode: NXDOMAIN [ pc ] => answer cached for TTL=900 [resl] <= server: '14.192.44.5' rtt: 12 ms [resl] finished: 4, queries: 1, mempool: 16400 B
ns.qmail.jp にNSがないことはキャッシュされている!
$ kdig ns ns.qmail.jp @127.0.0.3
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 25085 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; ns.qmail.jp. IN NS ;; AUTHORITY SECTION: qmail.jp. 2273 IN SOA a.ns.qmail.jp. hostmaster.m.qmail.jp. 1454758295 16384 2048 1048576 2560 ;; Received 80 B ;; Time 2016-03-18 10:48:25 JST ;; From 127.0.0.3@53(UDP) in 0.3 ms
[plan] plan 'ns.qmail.jp.' type 'NS' [ pc ] => satisfied from cache [iter] <= rcode: NOERROR [resl] finished: 4, queries: 1, mempool: 16400 B