Got Packets? Odd duplicate DNS replies from 10.x IP Addresses
Last Updated: 2012-05-16 11:48:23 UTC
by Johannes Ullrich (Version: 1)
This is a clarification to Dan's diary from yesterday. We are interested to hear, if anybody else is seeing DNS replies from RFC1918 non-routable IP addresses, in particular from 10.0.0.0/8. So far, we only have one report, and we are trying to figure out if this is something wide spread, or something unique to this user.
This reader first noticed the problem when the firewall reported more dropped packets from 10.x addresses. Two example queries that caused the problem are A queries for 25280.ftp.download.akadns.net and adfarm.mplx.akadns.net. The reader receives two responses: One "normal" response from the IP address the query was sent to, and a second response from the 10.x address. As a result, the problem would go unnoticed even if the 10.x response is dropped. Both responses provide the same answer, so this may not be an attack, but more of a misconfiguration.
As a side note, initially the DNS protocol specifically allowed for replies to arrive from an IP address different then the one the query was sent to:
"Some name servers send their responses from different addresses than the one used to receive the query. That is, a resolver cannot rely that a response will come from the same address which it sent the corresponding query to. This name server bug is typically encountered in UNIX systems." (RFC1035)
However, later in RFC2181, this requirement was removed:
"Most, if not all, DNS clients, expect the address from which a reply is received to be the same address as that to which the query eliciting the reply was sent. This is true for servers acting as clients for the purposes of recursive query resolution, as well as simple resolver clients. The address, along with the identifier (ID) in the reply is used for disambiguating replies, and filtering spurious responses. This may, or may not, have been intended when the DNS was designed, but is now a fact of life." (RFC2181)
But we are NOT looking for responses that are coming from the wrong source, but duplicate responses. Once from the correct and once from the incorrect address.
Here an example "stray" packet submitted by the reader (slightly modified for privacy reasons and to better fit the screen)
Internet Protocol Version 4, Src: 10.17.x.y, Dst: ---removed--- Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 Total Length: 84 Identification: 0x2a7e (10878) Flags: 0x00 Fragment offset: 0 Time to live: 59 Protocol: UDP (17) Header checksum: correct User Datagram Protocol, Src Port: domain (53), Dst Port: antidotemgrsvr (2247) Domain Name System (response) Transaction ID: 0xb326 Flags: 0x8400 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer not authenticated .... .... ...0 .... = Non-authenticated data: Unacceptable .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 0 Additional RRs: 0 Queries ads.adsonar.akadns.net: type A, class IN Name: ads.adsonar.akadns.net Type: A (Host address) Class: IN (0x0001) Answers ads.adsonar.akadns.net: type A, class IN, addr 18.104.22.168 Name: ads.adsonar.akadns.net Type: A (Host address) Class: IN (0x0001) Time to live: 5 minutes Data length: 4 Addr: 22.214.171.124 (126.96.36.199)
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Platform Mapping Engineering
Akamai Technologies, Inc.
May 16th 2012
1 decade ago