Re: [Infowarrior] - China's Great Firewall spreads overseas

[RL Vaughn <rl_vaughn () baylor edu>]

On 3/29/10 11:54 AM, Danny McPherson wrote:
> On Mar 29, 2010, at 10:16 AM, RL Vaughn wrote:
>
> > On 3/29/10 9:53 AM, Valdis.Kletnieks () vt edu wrote:
> > > http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas
> > >
> > > So was this a DNS or BGP issue? The reporter appears to be confused, or
> > > was it the Arbor Networks talking head?
> > It was a DNS issue.  One host in i-root was providing incorrect answers.
> > The reason for those incorrect answers is unknown but the solution was
> > to remove the responsible host from the i-root anycast.
>
> Are you certain of this Randy?  There are at least two questions:

Hmmm.  Perhaps I am reading too much into Kurtis Lindqvist's note on 
dns-operation.  In fact, in that note, Kurtis says they are still 
investigating the issue and, pending the results of that investigation,
they have:
"withdrawn the route announcements from one of our anycast nodes for 
i.root-servers.net"

But that certain seems like a 'fix' albeit the permanency of the fix
is not mentioned.


The dig output provided was:
$ dig @i.root-servers.net www.facebook.com A

; <<>> DiG 9.6.1-P3 <<>> @i.root-servers.net www.facebook.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; ANSWER SECTION:
www.facebook.com.       86400   IN      A       8.7.198.45

;; Query time: 444 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Mar 24 14:21:54 2010
;; MSG SIZE  rcvd: 66




> 1) Why was someone in Chile using that server (i.e., the routing bit)
Good question.  I can imagine, of course, how someone in Chile can end 
up using i-root.


> 2) Why were the responses they were getting "incorrect"

The original report, again on dns-operations, mentions that when 
querying one of the i-root-server's nodes that node responds with an IP 
instead of a referral.

> Regarding the latter, just because a client receives an "incorrect
> answer" doesn't necessarily mean it's what the server ("i-root") was
> transmitting.
Exactly, other things can cause this symptom and I give those equal
weight as having a rogue node.  Still, the reported response appears
to identify a DNS issue.


> Removing the anycast instance from the i-root cluster means the
> ingress path towards i-root was withdraw, so that instance, and anything
> on the return path towards the client, are no longer an issue.  I think
> the latter set of my comments in the article from last week allude to
> this (i.e., potential middleboxen manipulation).


> That said, I do eagerly await an authoritative postmortem from
> the relevant parties.  But if you have data that suggests that
> "i-root was providing incorrect answers", I suspect folks would
> be quite interested in that.

Me too.  The only evidence I have is i-root has taken steps to avoid
producing the reportedly incorrect answers which does not imply they 
were the ones providing incorrect answers.

> -danny

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.