MoinQ:

1. DNS/FCP/考察/dns.jp

について、ここに記述してください。

jp に $random\.jp を問い合わせて、
 その否定応答に IN NS a\.dns\.jp と IN A を差し込めば攻撃できるじゃないですか。

肯定返答でも可能、というのが私の考察です。(否定返答の方は対策されてしまった。)

そういうTLDを探せばあるかも。

-- ToshinoriMaeno 2018-12-11 22:50:02

ひとつ思いつくのは

~% dig a ns2.dns.nl @ns1.dns.nl +dnssec

; <<>> DiG 9.9.5 <<>> a ns2.dns.nl @ns1.dns.nl +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51774
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID: 4c 41 58 31  (L) (A) (X) (1)
;; QUESTION SECTION:
;ns2.dns.nl.            IN A

;; ANSWER SECTION:
ns2.dns.nl.             3600 IN A 194.146.106.42
ns2.dns.nl.             3600 IN RRSIG A 8 3 3600 (
                                20181217042032 20181203090702 12456 nl.
                                hWXgYO3WOW0E9ed40cOGlYyMoZSs4J3ntvHCV4buk/oS
                                L3g5bm2cDnFpvUaqb5wHikUzgMkHZjN5TiEHMRb6LylH
                                XtKJHbhcFxLdB5dMjYtI7Knfxb1PNrHTg4hY2qo0mZOm
                                P4nKs78fJQhHnGqhR1vfft8GxxF2G6nR3v4GVMk= )

;; Query time: 117 msec
;; SERVER: 194.0.28.53#53(194.0.28.53)
;; WHEN: Wed Dec 12 12:40:45 JST 2018
;; MSG SIZE  rcvd: 225

が長ければ、みたいな話でしょうかね。-- tss 2018-12-12 03:41:28

おっとこれは委任ではありませんね。(でも長ければ毒入れには使えそう) -- tss 2018-12-12 06:03:22

2. JP

$ dig +dnssec jp @a.root-servers.net

; <<>> DiG 9.12.3 <<>> +dnssec jp @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40474
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 11, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp.                            IN      A

;; AUTHORITY SECTION:
jp.                     172800  IN      NS      a.dns.jp.
jp.                     172800  IN      NS      d.dns.jp.
jp.                     172800  IN      NS      e.dns.jp.
jp.                     172800  IN      NS      f.dns.jp.
jp.                     172800  IN      NS      h.dns.jp.
jp.                     172800  IN      NS      g.dns.jp.
jp.                     172800  IN      NS      c.dns.jp.
jp.                     172800  IN      NS      b.dns.jp.
jp.                     86400   IN      DS      54004 8 1 0EC348CC7E6D3213CC89E5867088043FC7D5C111
jp.                     86400   IN      DS      54004 8 2 5F4B24F667BC70880720D10DF317DC8FF80C63E586D504E6BBFE53F0 B9ECC040
jp.                     86400   IN      RRSIG   DS 8 1 86400 20181224200000 20181211190000 2134 . oNJHvb6Aoj1h9Q5wUqtFjF7qshEf8NoWpoXLTO2Cn3nx9jieCKtrMfyS Ei7CGRPmgHVklrdV9TmPJ216YiCQo717kr1kmNAIXTaOcVm0vnkSyOeM e1+Ef75hzyVpALy4NJJ49sKUIbUUKMkOWNn7IRW+U0W17a5esX5urDv8 48djBfRDIEJn40BULMdMJ2HT9wSEtT02JwSqPJOFR1QqzowA1NBnkogi dzdiXQmoPw0eb+1rhP9O9HYxVs4neuGECaTeNnAvKsgsvc6ov5cmyQMj LE9xKfVhjhGdaLo88ZB/OM/5DP5WDPrxLKg6g87TwnFmu7EQTfxCdRL8 dRTBsw==

;; ADDITIONAL SECTION:
a.dns.jp.               172800  IN      A       203.119.1.1
a.dns.jp.               172800  IN      AAAA    2001:dc4::1
d.dns.jp.               172800  IN      A       210.138.175.244
d.dns.jp.               172800  IN      AAAA    2001:240::53
e.dns.jp.               172800  IN      A       192.50.43.53
e.dns.jp.               172800  IN      AAAA    2001:200:c000::35
f.dns.jp.               172800  IN      A       150.100.6.8
f.dns.jp.               172800  IN      AAAA    2001:2f8:0:100::153
h.dns.jp.               172800  IN      A       65.22.40.25
h.dns.jp.               172800  IN      AAAA    2a01:8840:1ba::25
g.dns.jp.               172800  IN      A       203.119.40.1
c.dns.jp.               172800  IN      A       156.154.100.5
c.dns.jp.               172800  IN      AAAA    2001:502:ad09::5
b.dns.jp.               172800  IN      A       202.12.30.131
b.dns.jp.               172800  IN      AAAA    2001:dc2::1

;; Query time: 6 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: 水 12月 12 13:04:10 JST 2018
;; MSG SIZE  rcvd: 858

root-serverはadditional を混ぜてますね。-- ToshinoriMaeno 2018-12-12 04:07:12

3. qmail.jp

Cookieは外して考えた方がよさそう。

この程度が長いという世界を想定しています。

$ dig +dnssec qmail.jp @a.dns.jp

; <<>> DiG 9.12.3 <<>> +dnssec qmail.jp @a.dns.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26434
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 7333216f1fc2c608a2f7c18f5c1089417f230a0d337db64e (good)
;; QUESTION SECTION:
;qmail.jp.                      IN      A

;; AUTHORITY SECTION:
qmail.jp.               86400   IN      NS      a.ns.qmail.jp.
TL3E9MCE8KE1PUDULD7G5JUB5D7CAVQI.jp. 900 IN NSEC3 1 1 8 0B645814A5 TL3QIB30GAAN9EE2TJVJNVBMMOGA0AC0 NS SOA RRSIG DNSKEY NSEC3PARAM
TL3E9MCE8KE1PUDULD7G5JUB5D7CAVQI.jp. 900 IN RRSIG NSEC3 8 2 900 20190107174502 20181208174502 45828 jp. Jd0g6uuLYXf9WXDJFT1btwMrbUmColzQTJlnlPfEkuMSogw/HQ8O9B6R JspdfjdpabD0Cc3CVZeBHmaGRPa6v9+ul8M0onH8ThUXCo9Yq4/2xPDG szANAufiD2VFRiKD+InounH2g7IXKMYDYAX5uDk9KHB80+wan8Cdi61l zJM=
T4IF14B6GQ8JNBTF8M2Q5QA2FCKETM22.jp. 900 IN NSEC3 1 1 8 0B645814A5 T5034HSOH09SI9ITODHEQ0HVS4U22SVH TXT RRSIG
T4IF14B6GQ8JNBTF8M2Q5QA2FCKETM22.jp. 900 IN RRSIG NSEC3 8 2 900 20190107174502 20181208174502 45828 jp. lS8h86uZaoNrhQaDFx3qldcbCrtMM9qb/O/g74G+qNvtj3tPUv41nyse YuRuanxFRgfNNa383IQjNQzbVs3z+FlM0XcNAjTOAIKqmnEI5Cyx6Jgz aEDvqKMmut/0jvFPKA0w2VVjoZ5tFzGbmGcGeA8RcpFZebBGXpzsGqYy x5E=

;; ADDITIONAL SECTION:
a.ns.qmail.jp.          86400   IN      A       14.192.44.5

;; Query time: 7 msec
;; SERVER: 203.119.1.1#53(203.119.1.1)
;; WHEN: 水 12月 12 13:06:25 JST 2018
;; MSG SIZE  rcvd: 593

4. xserver利用ドメイン

当初思ったのはこういうドメインを多数集めれば、xserver.jp NS のAなどに毒が入れられる。

$ dig +nocookie +dnssec 003.jp @a.dns.jp

; <<>> DiG 9.12.3 <<>> +nocookie +dnssec 003.jp @a.dns.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22438
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 14
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;003.jp.                                IN      A

;; AUTHORITY SECTION:
003.jp.                 86400   IN      NS      ns3.xserver.jp.
003.jp.                 86400   IN      NS      ns1.xserver.jp.
003.jp.                 86400   IN      NS      ns5.xserver.jp.
003.jp.                 86400   IN      NS      ns4.xserver.jp.
003.jp.                 86400   IN      NS      ns2.xserver.jp.
TL3E9MCE8KE1PUDULD7G5JUB5D7CAVQI.jp. 900 IN NSEC3 1 1 8 0B645814A5 TL3QIB30GAAN9EE2TJVJNVBMMOGA0AC0 NS SOA RRSIG DNSKEY NSEC3PARAM
TL3E9MCE8KE1PUDULD7G5JUB5D7CAVQI.jp. 900 IN RRSIG NSEC3 8 2 900 20190107174502 20181208174502 45828 jp. Jd0g6uuLYXf9WXDJFT1btwMrbUmColzQTJlnlPfEkuMSogw/HQ8O9B6R JspdfjdpabD0Cc3CVZeBHmaGRPa6v9+ul8M0onH8ThUXCo9Yq4/2xPDG szANAufiD2VFRiKD+InounH2g7IXKMYDYAX5uDk9KHB80+wan8Cdi61l zJM=
QEN8374NAQSE9D1OI5TGED0AU0EC1K9I.jp. 900 IN NSEC3 1 1 8 0B645814A5 QF2P3L4743FREBMIQAU3QA681BT3FBG1 NS DS RRSIG
QEN8374NAQSE9D1OI5TGED0AU0EC1K9I.jp. 900 IN RRSIG NSEC3 8 2 900 20190107174502 20181208174502 45828 jp. Yw8WH+vbb9JGQbMynY49SuOa6k9jE485IjoMdk89m0X9r6GGK0m34KNn 0vI745vSsWmok5pgnjs1JmMhS4A4X/V+pjdVCIPmlXJhKIfRw4eUVbuW S6xnfixVere28Bq8uSstzMhbngMRVP2mYHN/bA60VQh9W0CYfS/sGuyf 6aE=

;; ADDITIONAL SECTION:
ns1.xserver.jp.         86400   IN      A       219.94.200.164
ns1.xserver.jp.         86400   IN      A       219.94.200.170
ns1.xserver.jp.         86400   IN      A       219.94.200.246
ns2.xserver.jp.         86400   IN      A       157.112.182.221
ns2.xserver.jp.         86400   IN      A       157.112.182.225
ns2.xserver.jp.         86400   IN      A       210.188.201.246
ns3.xserver.jp.         86400   IN      A       219.94.200.247
ns4.xserver.jp.         86400   IN      A       183.90.224.226
ns4.xserver.jp.         86400   IN      A       183.90.224.230
ns4.xserver.jp.         86400   IN      A       219.94.203.247
ns5.xserver.jp.         86400   IN      A       210.188.201.247
ns5.xserver.jp.         86400   IN      A       157.112.182.218
ns5.xserver.jp.         86400   IN      A       157.112.182.220

;; Query time: 5 msec
;; SERVER: 203.119.1.1#53(203.119.1.1)
;; WHEN: 水 12月 12 13:09:50 JST 2018
;; MSG SIZE  rcvd: 834

多数への攻撃ではなくて、xserver.jp A への攻撃だとは考えられませんか。-- ToshinoriMaeno 2018-12-12 05:13:26

delegation返答を期待する場合のAdditional毒盛も可能であることを理解してもらえば十分です。

残るはAnswer Sectionが空でない場合です。

-- ToshinoriMaeno 2018-12-12 08:53:57

5. wildcard record

書き忘れたけど、ワイルドカードレコードがあると、かなり危険です。

%dig +dnssec \*.003.jp @ns1.xserver.jp                        ~/dnsq/1210

; <<>> DiG 9.12.1 <<>> +dnssec *.003.jp @ns1.xserver.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63376
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;*.003.jp.                      IN      A

;; ANSWER SECTION:
*.003.jp.               86400   IN      A       219.94.203.149

;; Query time: 8 msec
;; SERVER: 219.94.200.246#53(219.94.200.246)
;; WHEN: Wed Dec 12 23:48:47 JST 2018
;; MSG SIZE  rcvd: 42

SOAなしのNoData返答を見かけた。

$ dig -t aaaa zzzzxxxx.003.jp @ns1.xserver.jp

; <<>> DiG 9.12.3 <<>> -t aaaa zzzzxxxx.003.jp @ns1.xserver.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36670
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;zzzzxxxx.003.jp.               IN      AAAA

;; Query time: 12 msec
;; SERVER: 219.94.200.246#53(219.94.200.246)
;; WHEN: 木 12月 13 00:09:31 JST 2018
;; MSG SIZE  rcvd: 33