Re: How to prevent SA to make as112 calls?

Michelle Konzack Fri, 29 Apr 2011 09:57:27 -0700

Hello Martin Gregorie,

Am 2011-04-28 19:35:18, hacktest Du folgendes herunter:
> CORRECTIONS:
> 
> > That looks OK. I assume you've configured the server to be authoritative
> > for the private.tamay-dogan.net domain, in which case:
> > 
> > a) requests for unknown host names will be rejected immediately as
> >    'unknown'


----[ command 'dig ANY dns.private.tamay-dogan.net' ]----------
dns.private.tamay-dogan.net. 14400 IN   A       192.168.0.74
dns.private.tamay-dogan.net. 14400 IN   RRSIG   A 5 4 14400 20110517193357 
20110417193357 47103 private.tamay-dogan.net. 
FPdc7WqUMorG6dmXcQk4MqYoMYuJ9U7he1njvlmBvMYNmC0NIU2MtuYg 
aUNihHnNPZv4ZBA2+FyEaSM5AqWMQXX6botpdBrxgHewG6wVSCXaYdks 
XdL4udOeIWYBaHk6INHhz5Xr/FDFUKg5xg81xuShpp5ivte0dTwiKfyt 4BM=
dns.private.tamay-dogan.net. 86400 IN   NSEC    
easybox.private.tamay-dogan.net. A RRSIG NSEC
dns.private.tamay-dogan.net. 86400 IN   RRSIG   NSEC 5 4 86400 20110517193357 
20110417193357 47103 private.tamay-dogan.net. 
ii4Ev9wmqiKJV+zGD3rMZ0nzjh4OauxswC9qnAFgdPRyL12EszGkDW6j 
kxU/SNFoK1T6F2ojNOCVJjLDPjV3/yrVlKoWeB1EJZZFyzafXF3bKBYi 
WHlGaBiIX3Sf3c2d4pAYShwK1rBIiUyEvlcBVMRGNUshVdqscyRsacI+ bcQ=
private.tamay-dogan.net. 3600   IN      NS      dns.private.tamay-dogan.net.

real    0m0.019s
user    0m0.004s
sys     0m0.008s
------------------------------------------------------------------------

----[ command 'dig ANY spamassassin.private.tamay-dogan.net' ]----------
private.tamay-dogan.net. 3600   IN      SOA     dns1.tamay-dogan.net. 
hostmaster.tamay-dogan.net. 1303072426 10800 3600 604800 86400

real    0m0.020s
user    0m0.012s
sys     0m0.000s
------------------------------------------------------------------------

----[ command 'dig ANY spamassassin.tamay-dogan.net' ]------------------
tamay-dogan.net.        3600    IN      SOA     dns1.tamay-dogan.net. 
hostmaster.tamay-dogan.net. 1303072426 10800 3600 604800 86400

real    0m0.022s
user    0m0.000s
sys     0m0.008s
------------------------------------------------------------------------

----[ command 'time dig ANY spamer.foo.net' ]---------------------------
spamer.foobar.net.      300     IN      A       208.87.32.68
foobar.net.             172799  IN      NS      ns1.hostingnet.com.
foobar.net.             172799  IN      NS      ns2.hostingnet.com.
ns1.hostingnet.com.     3600    IN      A       208.87.32.72
ns2.hostingnet.com.     3600    IN      A       64.69.82.199

real    0m0.976s
user    0m0.000s
sys     0m0.016s
------------------------------------------------------------------------

> > b) requests for unknown IPs in outside subnet 0 will be rejected
>                                  ^^^^^^^
> >    immediately as 'unreachable'

----[ command 'time dig +all -x 192.168.5.5' ]--------------------------

; <<>> DiG 9.6-ESV-R4 <<>> ANY +all -x 192.168.5.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37973
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;5.5.168.192.in-addr.arpa.      IN      ANY

;; AUTHORITY SECTION:
168.192.in-addr.arpa.   37      IN      SOA     prisoner.iana.org. 
hostmaster.root-servers.org. 2008072202 21600 3600 1209600 86400

;; Query time: 0 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Fri Apr 29 18:27:41 2011
;; MSG SIZE  rcvd: 119


real    0m0.022s
user    0m0.008s
sys     0m0.008s
------------------------------------------------------------------------

Oops?

The request was made on my Workstation <192.168.0.91> where  the  NS  is
<192.168.0.74>.  So, from the AUTHORITY SECTION I can see, my NS  server
has asked the Internet (as a forwarder) and the response came  from  the
server <prisoner.iana.org> which is a part of the AS112 project.

Blocking anything except <192.168.0>, <192.168.1> and <192.168.2>  would
mean I have to setup blocks on 1000th of subnets...

> > c) BUT requests for unknown IPs in subnet 0 or for valid hostnames
> >    where the machine is turned off will cause an anycast to be sent
> >    out and will only be rejected when the request times out.
> >    The default timeout for my (Linux) ping is 3 seconds.

Unknown IP:

----[ command 'time dig +all -x 192.168.0.5' ]--------------------------

; <<>> DiG 9.6-ESV-R4 <<>> ANY +all -x 192.168.0.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49770
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;5.0.168.192.in-addr.arpa.      IN      ANY

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 38400   IN      SOA     dns.private.tamay-dogan.net. 
hostmaster.tamay-dogan.net. 1303058100 10800 3600 604800 86400

;; Query time: 1 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Fri Apr 29 18:38:27 2011
;; MSG SIZE  rcvd: 116


real    0m0.030s
user    0m0.012s
sys     0m0.000s
------------------------------------------------------------------------

valid hostname where the machine is turned off:

----[ command 'dig ANY +all acc336.private.tamay-dogan.net' ]-----------

; <<>> DiG 9.6-ESV-R4 <<>> ANY +all acc336.private.tamay-dogan.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;acc336.private.tamay-dogan.net.        IN      ANY

;; ANSWER SECTION:
acc336.private.tamay-dogan.net. 14400 IN A      192.168.0.81
acc336.private.tamay-dogan.net. 14400 IN RRSIG  A 5 4 14400 20110517193357 
20110417193357 47103 private.tamay-dogan.net. 
ZlcYlGlrc4Bmy2Ci3CJI3UHGXnKvjuKPdAN7+nw/x7BnDjSTOjA/GkZt 
nFIXIziuGYgTJFDMR7puAEjMwwfLBZn0unmyxhq9UYP4sSTANN1bUd8I 
SbC8wBfjgJonTNp9ZZucWxjwTuGyeHYqFoDwCUCYngSH8JQ5Em6zTCvg +3Q=
acc336.private.tamay-dogan.net. 86400 IN NSEC   acc576.private.tamay-dogan.net. 
A RRSIG NSEC
acc336.private.tamay-dogan.net. 86400 IN RRSIG  NSEC 5 4 86400 20110517193357 
20110417193357 47103 private.tamay-dogan.net. 
IIyjMp2O2iB9xlIUdQ+RXWLs4UVbqkxwTn4sazOcbEpr6AVUe0X78uu8 
91htt42wF8A1zcy+WCINisSHA/eF1haIPHQnNH+nfy/rfU6Nan6P9WKV 
Bt2Ho1x6V6qGOe9Zsxte3WPDPdP6ITsnhf0Q8IFHIgZXoaEsCusiTpcT oBs=

;; AUTHORITY SECTION:
private.tamay-dogan.net. 3600   IN      NS      dns.private.tamay-dogan.net.

;; Query time: 1 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Fri Apr 29 18:36:28 2011
;; MSG SIZE  rcvd: 500


real    0m0.028s
user    0m0.004s
sys     0m0.008s
------------------------------------------------------------------------

> Martin

Thanks for your help...

    Michelle Konzack

-- 
##################### Debian GNU/Linux Consultant ######################
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL       itsystems@tdnet UG (limited liability)
Owner Michelle Konzack            Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz                 Kinzigstraße 17
67100 Strasbourg/France           77694 Kehl/Germany
Tel: +33-6-61925193 mobil         Tel: +49-177-9351947  mobil
                                  Tel: +49-176-86004575 office

<http://www.itsystems.tamay-dogan.net/>  <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/>         <http://www.can4linux.org/>

Jabber linux4miche...@jabber.ccc.de
ICQ    #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/

signature.pgp
Description: Digital signature

Re: How to prevent SA to make as112 calls?

Reply via email to