On Jan 28, 2014, at 1:50 PM, valdis.kletni...@vt.edu wrote:

> On Tue, 28 Jan 2014 08:06:31 -0500, Jared Mauch said:
> 
>>  52731 ASN7922
> 
>> It includes IP address where you send a DNS packet to it and another IP 
>> address responds to the query, e.g.:
> 
>> The data only includes those where the “source-ASN” and “dest-asn” of these 
>> packets don’t match.
> 
> Hang on Jared, I'm trying to wrap my head around this.  You're saying that
> AS7922 has over 50K IP addresses which, if you send a DNS query to that IP,
> you get an answer back from *an entirely different ASN*? How the heck does
> *that* happen?

Yup.

> Hmm.. Comcast.  Anybody over there have an explanation what's going on there?

Most of these devices are CPE that perform DNS redirection/proxy wrong because 
they didn't constrain their udp/53 rule in iptables to only work on the 
"inside" interface.  They then send the packet to their configured DNS server 
(eg: 8.8.8.8) and rewrite the source address in the packet to be the IP address 
of the OpenResolverProject.org scanning server.  They then spoof me to 8.8.8.8 
and I get the response from there.

I have a unique QNAME per-IP i send, so I can decrypt/decode this to get the 
original destination to detect this.

I mentioned this in the past, so please don't act so surprised :)

http://mailman.nanog.org/pipermail/nanog/2013-August/060246.html

- Jared


Reply via email to