[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't
Thomas Mieslinger
miesi at india.com
Fri Feb 17 13:29:22 UTC 2017
Hello Peter,
On 17.02.17 14:17, Peter van Dijk wrote:
> Hello Thomas,
>
> On 17 Feb 2017, at 14:15, Thomas Mieslinger wrote:
>> On 17.02.17 13:56, Brian Candler wrote:
>>> On 17/02/2017 12:53, Thomas Mieslinger wrote:
>>>> With crafted glue in the tld zone and mailrelays using pdns_recursor
>>>> you could redirect mail traffic.
>>>>
>>> If you have the ability to craft glue in the tld zone, surely you could
>>> also just change the delegation outright??
>>
>> No, the idea is to create a new domain with malicious glue and then
>> send emails over the MXes to infiltrate. The MXes will do lookups,
>> which trigger the pdns_recursor cache poisoning.
>
> You are confused. This is impossible.
Based on what I have seen in the past days the following happens:
I clear the old mx0..5.ovh.net A records from recursor caches, a
customer sends an email to bureauxdeventepro.com, the 213.186.33.XX ips
get the new default answer for mxX.ovh.net.
Call me confused, but it happened every day this week.
>> My employers customers called in because they couldn't send emails to
>> ovh MXes. If the broken domains would have been malicious and glue ips
>> with port 25 open, the MXes would have delivered the emails to them.
>
> It would be very dumb of OVH to put malicious hosts in there. Why would
> they do such a thing?
>
>> So do registries accept something like "mx00.t-online.de A
>> 64.233.187.26" as hostobject for a NS of a domain?
>
> No.
>
>> In the case of .com/.net I have the feeling they accept all kind of
>> bullshit (see first mail of this thread)
>
> No, they don’t. Only ovh.net can make hosts under ovh.net.
Not really. At least another registrar can reuse host objects.
Cleared earlier this week:
dig asie4all.com. @192.43.172.30
; <<>> DiG 9.10.4-P5 <<>> asie4all.com. @192.43.172.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4893
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;asie4all.com. IN A
;; AUTHORITY SECTION:
asie4all.com. 172800 IN NS mx1.ovh.net.
asie4all.com. 172800 IN NS mx2.ovh.net.
;; ADDITIONAL SECTION:
mx1.ovh.net. 172800 IN A 213.186.33.29
mx2.ovh.net. 172800 IN A 213.186.33.45
;; Query time: 9 msec
;; SERVER: 192.43.172.30#53(192.43.172.30)
;; WHEN: Wed Feb 15 09:42:50 CET 2017
;; MSG SIZE rcvd: 116
whois asie4all.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: ASIE4ALL.COM
Registrar: 1&1 INTERNET SE
Sponsoring Registrar IANA ID: 83
Whois Server: whois.1and1.com
Referral URL: http://registrar.1and1.info
Name Server: MX1.OVH.NET
Name Server: MX2.OVH.NET
Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Updated Date: 02-feb-2017
Creation Date: 29-jan-2017
Expiration Date: 29-jan-2018
>>> Last update of whois database: Wed, 15 Feb 2017 08:48:18 GMT <<<
More information about the Pdns-users
mailing list