Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: more on Re: ROOTS & PRIVACY ISSUES

From: Dave Farber <dave () farber net>
Date: Sun, 14 Apr 2002 07:05:06 -0400
Date: Sun, 14 Apr 2002 02:04:29 -0700
To: farber () cis upenn edu
From: Simon Higgs <simon () higgs com>
Subject: Re: IP: ROOTS & PRIVACY ISSUES


At 03:06 PM 4/13/2002 -0400, Dave Farber wrote:

For IP:

This is old news (by internet standards - it occurred in June 2001), but
none the less, it's a very intriguing "big deal about nothing".

Diebold used PCCF as an ISP to host two ORSC root servers. No big deal
there. When the contract with PCCF ended, Diebold decided to discontinue
their maintenance of the two root servers, and so the IP addresses
(205.189.73.10 and 205.189.73.102) reverted back to the PCCF pool. Again,
no big deal. Because of some unfortunate "politics" (putting it politely),
PCCF decided they didn't want to continue to provide root service for ORSC
and decided to throw a temporary, but novel, spanner in the works.

Normally, once DNS records are changed, all the queries resolve to the new
IP address at the new ISP. The problem for any root zone is that the root
server IPs are hard coded in the "hints" file of the root. If you know
BIND, then you know what a hints file looks like. If not, the legacy root
hints file can be found here:

ftp://rs.internic.net/domain/named.ca

The ORSC root looks exactly the same, but with different IP addresses, and
uses the "root-servers.orsc" domain name. Each DNS server (every single
one) has to be updated by it's administrator when a new hints file is
published. Until that happens, the DNS server still queries the old IP
addresses in the old hints file.

After PCCF removed the ORSC root servers, the traffic for the ORSC root
continued to target the PCCF IP addresses. Inbound queries use bandwidth,
and non-answering IPs use even more bandwidth when the request is repeated
several times by the DNS client. What PCCF did to solve this problem was
very novel. Even though it was largely ineffective, it did bring to light
the issues raised by the letter below.

What PCCF did was to put two new root servers on the old Diebold IP
addresses. These root servers had a single root zone file that was unique
on the internet:

$ORIGIN .
@                      1D IN SOA      baptista.vortex. baptista.pccf.net. (
                        2001010154     ; serial
                        8H             ; refresh
                        2H             ; retry
                        1W             ; expire
                        1D )           ; minimum
                        1D IN NS       baptista.vortex.
baptista.vortex.       1D IN A        205.189.73.10
                        1D IN A        205.189.73.102
email.blackhole.       1D IN A        10.0.0.1
*.                     1D IN A        192.0.2.111
                        1D IN A        172.16.0.15
                        1D IN MX 5     email.blackhole.

This file might look like gibberish to some on IP, but what it does is to
answer every DNS request with the same two IP addresses - 192.0.2.111 and
172.16.0.15. That's right, every domain name you could possibly imagine
will resolve to those two IP addresses. And at both of those IP addresses
was a web site with an announcement that root service had been terminated,
forcing the end users to re-configure their DNS, and telling them (in
PCCF's opinion) why.

What the letter below outlines, is that it is possible for root server
operators to trap the end user's DNS request for surveillance purposes (the
above root zone does exactly this). It's not a very clean process, because
it requires a redirect back to the true IP address after logging the
request. I'm quite sure this would end up on the security mailing lists
very quickly if the root server operators actually tried to do this since
there is an auditable packet trail which can be seen by the DNS client. For
instance, the PCCF "experiment" is unable to show any kind of packet
redirection from the surveillance IP address to the real destination IP
address - this would be required in order to show evidence of a transparent
surveillance practise.

Partly as a result of these events, ORSC has changed the way it provides
pointers to it's root zone. The hints file is now obsolete, and each DNS
server using the ORSC root zone can now load the entire top level root zone
locally (remember this is the "Open Root Server Confederation"). This
removes the need to always query a limited set of root servers. Instead it
provides much faster resolution to DNS queries by allowing the query to
bypass the root servers and go straight to the TLD servers. If the legacy
root (US Gov/ICANN root) did the same thing, it would scale to a far larger
number of DNS clients than is currently possible, and even the remote
possibility of root server surveillance would be completely removed.

Other than that, the letter is a very nice way for PCCF to create some
unwarranted FUD and raise $10 from anyone wishing to see the logs of this
event. The logs are far better at showing the security vulnerabilities of
the web sites being visited than of any kind of root surveillance practise.

For archives see:
http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: