tag:blogger.com,1999:blog-8951599490492075117.post8487120969692776526..comments2022-12-28T13:33:39.339-05:00Comments on Matt Pounsett: The .io Error: A Problem With Bad Optics, But Little SubstanceMSPhttp://www.blogger.com/profile/06592589764788936474noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8951599490492075117.post-78001749067070765732017-07-11T12:23:42.501-04:002017-07-11T12:23:42.501-04:00Your assumption is that all resolvers will take th...Your assumption is that all resolvers will take the A records from the root and not resolve the names in the NS records.<br /><br />It would be nice (and more secure, and also correct according to the RFCs) if they did, but many do not: They ask the root for NS records, and resolve them. That's why he was getting traffic. And if he had resolved the queries, he could have been quite successful at redirecting a lot of .io domain traffic.Anonymoushttps://www.blogger.com/profile/12852648346098909153noreply@blogger.comtag:blogger.com,1999:blog-8951599490492075117.post-13376441270869233012017-07-10T19:17:34.928-04:002017-07-10T19:17:34.928-04:00BTW, if you want to play with nameserver address f...BTW, if you want to play with nameserver address fetching behavior, the relevant config options in Unbound are "target-fetch-policy" and "harden-referral-path".Anonymoushttps://www.blogger.com/profile/10954776464669392332noreply@blogger.comtag:blogger.com,1999:blog-8951599490492075117.post-65812758730832981532017-07-10T19:15:31.032-04:002017-07-10T19:15:31.032-04:00Hi, Matt:
I think you're assuming some very s...Hi, Matt:<br /><br />I think you're assuming some very specific behavior on the part of the recursive DNS server here, namely that it keeps using the glue address records it got from the root for ns-a1[.]io, etc. when performing lookups in the .io bailiwick. This is implementation-specific behavior. I'm pretty sure BIND does it the way you described, but not all recursive DNS servers behave this way. E.g., Unbound will attempt to find authoritative nameserver address records when recursing rather than relying on glue address records, by default.<br /><br />The thehackerblog[dot]com guy at least managed to obtain some DNS traffic. I see ~12K instances altogether between the four ns-a[1-4][dot]io names for type NS over a ~28 hour period.Anonymoushttps://www.blogger.com/profile/10954776464669392332noreply@blogger.com