In message <cao42z2yuecwoyxxodcpkftho4rnxdygjcbxjrrq7jrbhvvg...@mail.gmail.com> , Mark Smith writes: > > What you're seeing is quite expected, you're providing a relative domain > name not an absolute one. Since it is relative, then the DNS resolver will > try to use the list of search domains it has to resolve it. > > The purpose of providing a domain to a client e.g. via DHCP is so that > relative names can be used for things. > > In the ISP world, it would be so that customers can type "mail" rather > than "mail.isp.com". I don't think that is really much value anymore, as the > only place people commonly type domain names its into their web browser, > and they're full domain names outside the ISP's name space, even though > they're technically not fully qualified - a fully qualified domain name > has a dot on the end e.g. "mail.isp.com.". Also, ISPs provide full (relative) > names on settings pages too. > > So you have the following options > > (a) always use fully qualified domain names i.e. ones that have dots on > the end - which is impractical because it will be hard to change end user > behaviour. > > (b) work out where your resolver relative search list is and stop it > listing .com.au. Something to try is to have a single search domain of > '.', which would make all relative domain names absolute ones upon the first > resolution attempt. > > Try your nslookup query with a dot on the end and it should either > entirely succeed or entirely fail on the first resolution attempt.
This is also Microsoft ignoring security warnings and fixes that were issued and deployed 2+ decades ago. RFC 1535 first raised this and the search mechanism was changed to do queries with dots "as is", then apply the search list. Additionally the search list became a single element as it was realised that you couldn't just strip off leading labels safely. I tried hard to argue that partially qualified names should no longer be a concept (if there is a period in the name then it is always treated as absolute). I also tried hard to argue that searches should stop on NODATA, that the only response that should cause a search to move onto the next element is NXDOMAIN. SERVFAIL should be terminal. Remember periods at the end to indicate no searching is a local user interface issue as is searching itself. Domain elements in protocols are fully qualified and don't have a final period. And before you mention DNS master files, there is no searching. There is appending the current origin or not depending on the absence or not of the final period. There is no ambiguity that there is with searching. This is text based compression. Also ISP's that depend on their domain being in the search list on customer machines are idiots. Search list are one of the things that hosts can override and you should never trust a search list given to you by a ISP or a hotspot. Mark > On 1 Jun. 2017 17:38, "Benjamin Ricardo" <[email protected]> wrote: > > Ahh yes I hadnât thought of the catchall. > > > > You are correct Nick there is still an old 2003 DC in this domain and yes > since Win7 / Server2k8r2 the devolution level criteria has changedâ this > will have been the issue I guess. > > I thought the client controlled the DNS Devolution level though and these > clients are Win10? > > > > Win10 client querying against a 2008R2 DNS Servers > > > > Example (you asked for it) > > > > PS C:\> nslookup > > Default Server: nameserver > > Address: 192.168.23.10 > > > > > set debug > > > vpn.somedomain.com > > Server: nameserver > > Address: 192.168.23.10 > > > > ------------ > > Got answer: > > HEADER: > > opcode = QUERY, id = 2, rcode = NXDOMAIN > > header flags: response, auth. answer, want recursion, recursion > avail. > > questions = 1, answers = 0, authority records = 1, additional > = 0 > > > > QUESTIONS: > > vpn.somedomain.com.somedomain.com.au, type = A, class = IN > > AUTHORITY RECORDS: > > -> somedomain.com.au > > ttl = 3600 (1 hour) > > primary name server = sterdevel.somedomain.com.au > > responsible mail addr = hostmaster. somedomain.com.au > > serial = 185662 > > refresh = 900 (15 mins) > > retry = 600 (10 mins) > > expire = 86400 (1 day) > > default TTL = 900 (15 mins) > > > > ------------ > > ------------ > > Got answer: > > HEADER: > > opcode = QUERY, id = 3, rcode = NXDOMAIN > > header flags: response, auth. answer, want recursion, recursion > avail. > > questions = 1, answers = 0, authority records = 1, additional > = 0 > > > > QUESTIONS: > > vpn. somedomain.com. somedomain.com.au, type = A, class = IN > > AUTHORITY RECORDS: > > -> somedomain.com.au > > ttl = 3600 (1 hour) > > primary name server = sterdevel. somedomain.com.au > > responsible mail addr = hostmaster. somedomain.com.au > > serial = 185662 > > refresh = 900 (15 mins) > > retry = 600 (10 mins) > > expire = 86400 (1 day) > > default TTL = 900 (15 mins) > > > > ------------ > > ------------ > > Got answer: > > HEADER: > > opcode = QUERY, id = 4, rcode = NOERROR > > header flags: response, want recursion, recursion avail. > > questions = 1, answers = 1, authority records = 0, additional > = 0 > > > > QUESTIONS: > > vpn. somedomain.com.com.au, type = A, class = IN > > ANSWERS: > > -> vpn. somedomain.com.com.au > > internet address = 192.185.161.219 > > ttl = 4021 (1 hour 7 mins 1 sec) > > > > ------------ > > Non-authoritative answer: > > ------------ > > Got answer: > > HEADER: > > opcode = QUERY, id = 5, rcode = NOERROR > > header flags: response, want recursion, recursion avail. > > questions = 1, answers = 0, authority records = 1, additional > = 0 > > > > QUESTIONS: > > vpn. somedomain.com.com.au, type = A, class = IN > > AUTHORITY RECORDS: > > -> com.com.au > > ttl = 900 (15 mins) > > primary name server = ns1255.websitewelcome.com > > responsible mail addr = root.harrier.websitewelcome.com > > serial = 2017051610 <(201)%20705-1610> > > refresh = 86400 (1 day) > > retry = 7200 (2 hours) > > expire = 3600000 (41 days 16 hours) > > default TTL = 86400 (1 day) > > > > ------------ > > Name: vpn. somedomain.com.com.au > > Address: 192.185.161.219 <- this is the wrong > address > > > > > > > > > > > *From:* Nick Marsham [mailto:[email protected]] > *Sent:* Thursday, 1 June 2017 3:52 PM > *To:* Benjamin Ricardo <[email protected]>; 'Ausnog' < > [email protected]> > *Subject:* RE: [AusNOG] DNS Devolution targeting the .com.au space - > should > we be worried? > > > > DNS devolution in AD domains in all supported versions of Windows doesnât > proceed past the FQDN of the forest root domain, so the only way you could > get into this exact scenario is by your FRD configured as âcom.auâ, or to > have a global search suffix list configured which includes the suffix > âcom.auâ, since global search suffix lists override devolution. > > > > If youâre able to provide me an example of how devolution could actually > cause the scenario you suggest in Windows 7/Server 2008R2 or newer, Iâd be > very interested. > > > > Itâs also important to note that the owner com.com.au is not explicitly > âregisteringâ A records in order to catch big-name companies: Their DNS > server simply has a âcatchallâ which returns a landing page. > > > > *From:* AusNOG [mailto:[email protected] > <[email protected]>] *On Behalf Of *Benjamin Ricardo > *Sent:* Thursday, 1 June 2017 3:36 PM > *To:* 'Ausnog' <[email protected]> > *Subject:* [AusNOG] DNS Devolution targeting the .com.au space - should we > be worried? > > > > HI All, > > Looking for thoughts on something that we uncovered today in the wild > (heard about it years ago but never seen it) regarding internal company > domains that are using public .com.au domain suffixes and whether thereâs > something that should be done here. > > > > The issue is caused by Microsofts Primary DNSSuffix Devolution and the > potential for legitimate traffic to be redirected to the owner of the > domain âcom.com.au.â if your machine has a domain name of â > somehostname.somedomainname.com.auâ > > It is possible in this situation for a non-qualified query to do the > following: > > > > ibm.com.somehostname.somedomainname.com.au (NXDOMAIN) > > ibm.com.somedomainname.com.au > (NXDOMAIN) > > ibm.com.com.au > (NOERROR) > > > > You can see the vulnerability. > > The problem is now that it appears that the owner of the domain > âcom.com.auâ > has started to register A records for big name domains such as .ibm.com in > the hope of catching non-fully qualified queries to these addresses. > > > > I can only think that this is going to end badly for people. > > Is this the sort of thing that could be flagged as abuse? > > > > Appreciate any comments. > > > > Ben > > > > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
