1432

Welp that answers a lot of why all .ml are down (i.imgur.com)

submitted 1 year ago* (last edited 1 year ago) by BarterClub@sh.itjust.works to c/technology@lemmy.world

508 comments fedilink hide all child comments

https://very.bignutty.xyz/notes/9hf13it1ced3b2za

you are viewing a single comment's thread
view the rest of the comments

[-] grandkaiser@lemmy.world 3 points 1 year ago

Friday I was doing a zone transfer! What are the odds?

A zone transfer is like moving houses, except for an authoritative zone.

In DNS, we have what's called an authoritative zone. That means the device hosting the "resource records" (all the data that DNS passes around) is the "ultimate" answer. I.e, it's not cached data. It's not a hosts file. It's not a recursive answer. It's the real deal.

When you want to move the authoritative zone to another server, you do a "zone transfer" that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).

[-] jmanjones@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?

[-] grandkaiser@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a 'bad actor' DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.

Let's say you're Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we're skipping caching & non-authoritative answers for brevity):

You type "lemmy.world" into your browser
Your computer initiates a stub resolution for lemmy.world. (the trailing dot here isn't a period. It's the "true" FQDN)
Computer looks at hosts file and doesn't see anything
DNS packets are sent to your configured DNS server. If you don't have one configured, DHCP already configured it for you
Your DNS server performs a recursive search for world by asking the root zone where the "world" Name Serer is
root zone resolves world as:

world. 3600 IN NS v0n0.nic.world.

world. 3600 IN NS v0n1.nic.world.

world. 3600 IN NS v0n2.nic.world.

world. 3600 IN NS v0n3.nic.world.

world. 3600 IN NS v2n0.nic.world.

world. 3600 IN NS v2n1.nic.world.

Your DNS server reaches out to one of those Name Server's (That's what the NS record is for) and asks it where "lemmy" is
world Name Server responds with:

lemmy.world. 300 IN A 172.67.218.212

lemmy.world. 300 IN A 104.21.53.208

Your DNS server contacts your computer and serves it those IP addresses. (A record's are domain name to IP Address)

Now lets say there's a DNS spoof attack:

Before the "world" server can get back to your DNS server, the hackers server interjects with it's own authoritative claim that lemmy is here:

lemmy.world. 300 IN A [attack site IP]

Your DNS server contacts your computer and serves it that IP address. Your computer then contacts the attack site and you get a virus.

this post was submitted on 21 Jul 2023

1432 points (98.9% liked)

Technology

59648 readers

1520 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS