Educause Security Discussion
mailing list archives
recursion only queries and interception observation
From: John Kristoff <jtk () CYMRU COM>
Date: Wed, 17 Apr 2013 09:49:32 -0500
While at the SPC in St Louis this week, I happened to notice, though it
is hard not to in my default config, that the EDUCAUSE provided network
is configured in a peculiar way, though this sort of thing is not
uncommon as you travel around the world and hop onto guest networks.
Most, if not all will not notice any of this, so this is likely only of
interest to the DNS or network transparency geeks who care about such
In a traditional configuration, you're connected to the wireless
network, using a stub resolver and things work swimmingly.
In a configuration like mine, where you may run your own local, full
resolver, iterative queries over UDP that would normally, and really
ought to work in my opinion, will receive SERVFAIL answers.
For example, on my wireless client, the following queries will fail
dig @127.0.0.1 www.educause.edu
dig @ns1.educause.edu www.educause.edu +norecurse
The following will succeed:
dig @ns1.educause.edu www.educause.edu
dig @ns1.educause.edu www.educause.edu +norecurse +tcp
Note, these last two appear to be completely distinct flows and
presumably instantiate different state in whatever middle box gear is
in use here. Examining the authoritative server will show that two
completely different endpoints are contacting it.
Fun things to do between sessions. Now, let's see what we can discover
with those funky hotel elevator keypad panels... :-)
- recursion only queries and interception observation John Kristoff (Apr 17)