Discuss mailing list

[Lennart Seitz <mail AT lseitz.de>]

On 02.09.2021 02:18, Se7en wrote:
> On 21-09-02 02:12:47, Lennart Seitz wrote:
>>
>> This is yet to be proven. You are sending to the anycast, any party
>> within your traceroute can manipulate DNS-Requets. This is not related
>> to OpenNIC.
> You have just said that the DNS servers I'm using, which are listed on
> the wiki, are /not/ Anycast servers belonging to the
> OpenNICProject. You are contradicting yourself. I hope you realize
> that this is potentially a major scandal, and you should put out a
> press release and a security alert as this is a /major/ problem!

It used to be an anycast for OpenNIC some time ago, its not anymore -
things changes, the Wiki is not updated and until now nobody can confim
or see any poisned records served by this server expect you. So a local
hijack seems more likely (to me).

IF, and this is a big if, some POP that used to be operated by Fusl was
hacked, then yes, this is security concern and you should contact Fusl
to verfiy this. But in a optimal situation you would verify records per
dnssec and your local resolver would reject such records, if altered.
After all DNS is a plaintext protocol, prepare for the worst.

Im not saying that your DNS poisoning is not a problem, but until now
its not for sure that OpenNIC is releated to this, so keep it calm please.

>
> If you believe that I /am/ using the correct Anycast servers, what do
> you suggest I do to detect if it is external to the DNS problem? I
> have already performed analysis and shown that the only reason I was
> getting the MITM to facebook, and the fradulent chinese domain
> register was by using the Anycast DNS servers listed on the
> wiki. These are the same servers I have used since 2015/2016 on a
> multitude of devices.

Fusl need to verifiy the POP that serves your requests locally if it
resolves correctly. If it does, then sombody in the chain to you is
altering requests and its not related to OpenNIC / the old Anycast DNS.
If the pop servers wrong records, then things got bad.

> Is it or is it not the Anycast server? If it is the result of
> something else, what else could it be when all other DNS Providers I
> put into my configuration do not have this issue?
>
>

Cant tell for sure TBH, it certainly used to be any "offical" OpenNIC
Anycast, but the serverlist says something differnt. The IP is still
allocated to Katie so a IP/BGP Hijack seems unlikely.

I would say Katie still operates the Servers but dont want any new
traffic, therefore the removal from the list. But only she can tell.

> Which one? 185.121.177.177 or 169.239.202.202? I am in the United
> States. 

Talking about 185.121.177.177:
dig duckduckgo.com @185.121.177.177 +short
40.114.177.156

Seems to be located in Frankfurt by Vultr

 4  ch-zrh03a-rc1-ae-212-0.aorta.net (84.116.211.141)  30.053 ms  30.038
ms  38.956 ms
 5  ch-zrh01b-ra1-ae-1-0.aorta.net (84.116.134.142)  30.002 ms  29.992
ms  38.916 ms
 6  213.46.171.222 (213.46.171.222)  38.910 ms  29.652 ms  29.188 ms
 7  ffm-bb1-link.ip.twelve99.net (62.115.138.16)  41.336 ms
ffm-bb2-link.ip.twelve99.net (62.115.138.46)  41.279 ms  41.281 ms
 8  ffm-b12-link.ip.twelve99.net (62.115.142.47)  41.275 ms  41.269 ms 
41.271 ms
 9  vultr-ic312911-ffm-b12.ip.twelve99-cust.net (62.115.58.22)  53.067
ms  53.086 ms  53.063 ms
10  * * *
11  * * *


-- 
Mit freundlichen Grüßen,
Lennart Seitz
PGP-Schlüssel: 0x187abd76a5660379 (https://pgp.lseitz.de/key.asc)
--