Home page logo

educause logo Educause Security Discussion mailing list archives

recursion only queries and interception observation
From: John Kristoff <jtk () CYMRU COM>
Date: Wed, 17 Apr 2013 09:49:32 -0500

While at the SPC in St Louis this week, I happened to notice, though it
is hard not to in my default config, that the EDUCAUSE provided network
is configured in a peculiar way, though this sort of thing is not
uncommon as you travel around the world and hop onto guest networks.

Most, if not all will not notice any of this, so this is likely only of
interest to the DNS or network transparency geeks who care about such

In a traditional configuration, you're connected to the wireless
network, using a stub resolver and things work swimmingly.

In a configuration like mine, where you may run your own local, full
resolver, iterative queries over UDP that would normally, and really
ought to work in my opinion, will receive SERVFAIL answers.

For example, on my wireless client, the following queries will fail

  dig @ www.educause.edu
  dig @ns1.educause.edu www.educause.edu +norecurse

The following will succeed:

  dig @ns1.educause.edu www.educause.edu
  dig @ns1.educause.edu www.educause.edu +norecurse +tcp

Note, these last two appear to be completely distinct flows and
presumably instantiate different state in whatever middle box gear is
in use here.  Examining the authoritative server will show that two
completely different endpoints are contacting it.

Fun things to do between sessions.  Now, let's see what we can discover
with those funky hotel elevator keypad panels... :-)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]