iniqua
OpenNIC Tier2 Servers: Minimal survey
The United States government has recently “capture” some domains, One of this domains is rojadirecta.org, portal that collects links of sports events streaming servers. This has generated concern among users.
One alternative to avoid this type of domain hijacking is the use of OpenNIC. A project that aims to offer an alternative to top-level domains (TLD) managed by ICANN. Principal attraction is that not depend directly or indirectly from a government agency and offers domain registration for free.
OpenNIC (a.k.a. “The OpenNIC Project”) is an organization of hobbyists who run an alternative DNS network. OpenNIC is owned and operated by the OpenNIC community. Membership is open to all who share an interest in keeping DNS free for all users. Our goal is to provide you with quick and reliable DNS services and access to domains not administered by ICANN.
OpenNIC provides resolution to all ICANN domains as well as OpenNIC’s own TLDs:
.geek, .free, .bbs, .parody, .oss, .indy, .fur, .ing, .micro, .dyn and .gopher
Join us as we create a new surfing experience. OpenNIC domain registrations are free of charge — simply register your domain, agree to the terms of the specific TLD you’re registering with, and point your domain to whatever online services you have to offer.
www.opennicproject.org/
To complete the service infrastructure OpenNIC maintains a list of servers able to perform recursive resolution. These servers are able to resolve the TLDs offered byOpenNIC and must be used by users as an alternative or complement to the ISPservers available to them.
Public Access (Tier-2) DNS Servers: Public Access servers, in accordance with the OpenNIC DNS Specification, provide recursive responses to the public, requiring a hefty amount of data transfer.
List: www.opennicproject.org/publictier2servers
List geo-location based: wiki.opennicproject.org/ClosestT2Servers
Such as we found an interesting initiative, we decided to start using these servers.But before we use something we like to evaluate the level of security it offers. For this reason we performed a small survey of servers listed by OpenNIC.
Considerations:
- The survey has made from Spain hosts to Spain located DNS server and using FreeDNS services (freedns.afraid.org) to publish the 3 TLD domain used.
- This study aims to provide value to the service OpenNIC offers.
Here is an summary of the results after doing some testing. Checks made no more than 10 requests in order to check if the server is a possible ”open-emitter”, software version, TTL accepted, non-recursive requests allowed and the correct port radomization.
The total number of servers on which checking is performed is 42. Be excludedservers operating in IPv6 in this brief study.
The issues analyzed are as follows:
- Open Emitter: Server use same IP for client and server side.
- TTL: Max TTL accepted.
- RAND Ports: Server range port in queries (client side).
- Version: Version.bind published.
- No RD flag allow: Server resolve no recursive queries.
- Rating [potential-insecure[0]unrecommended[1,2]recommended[3,4]optimal[5]]
| Server | Open Emitter | TTL | RAND Ports | Version | RD flag | Rating |
| 58.6.115.42 | - | - | - | - | - | - |
| 202.83.95.227 | x | 2592000 | GREAT | exposed | no | 3 |
| 119.31.230.42 | x | 604800 | POOR (1port) | - | no | 0 |
| 66.206.229.101 | x | 604800 | GREAT | exposed | yes | 1 |
| 67.212.90.199 | 604800 | GREAT | exposed | yes | 2 | |
| 89.185.225.28 | x | 604800 | GREAT | exposed | no | 3 |
| 88.198.249.114 | x | 604800 | GREAT | exposed | no | 3 |
| 217.6.34.47 | x | 604800 | GREAT | - | no | 4 |
| 217.6.34.48 | x | 604800 | GREAT | - | no | 4 |
| 178.63.26.173 | x | 604800 | GREAT | exposed | yes | 2 |
| 178.63.26.174 | x | 604800 | GREAT | exposed | yes | 2 |
| 83.223.73.116 | x | 86400 | GREAT | - | yes | 4 |
| 178.63.26.172 | x | 604800 | GREAT | exposed | yes | 2 |
| 217.79.186.148 | x | 2592000 | GREAT | - | no | 3 |
| 78.46.76.144 | x | 604800 | GREAT | exposed | no | 3 |
| 78.46.76.146 | x | 604800 | GREAT | exposed | no | 3 |
| 92.243.8.139 | x | 604800 | GREAT | exposed | yes | 2 |
| 95.142.171.235 | x | 604800 | GREAT | exposed | yes | 2 |
| 82.237.169.10 | x | 604800 | GREAT | - | yes | 3 |
| 195.46.231.99 | x | 604800 | GREAT | - | no | 4 |
| 95.211.32.162 | x | 604800 | GREAT | - | no | 4 |
| 27.110.120.30 | x | - | - | - | - | - |
| 192.121.121.14 | - | - | - | - | - | - |
| 192.121.86.100 | x | 604800 | GREAT | - | no | 4 |
| 109.74.196.32 | - | - | - | - | - | - |
| 89.16.173.11 | x | 604800 | GREAT | exposed | yes | 2 |
| 74.207.247.4 | 604800 | GREAT | exposed | yes | 2 | |
| 205.185.120.143 | x | 604800 | GREAT | - | yes | 3 |
| 216.87.84.211 | 604800 | GREAT | exposed | no | 3 | |
| 184.154.13.11 | x | 604800 | GREAT | exposed | no | 3 |
| 66.244.95.20 | x | 604800 | GREAT | - | no | 4 |
| 69.164.208.50 | x | 604800 | GREAT | exposed | no | 3 |
| 69.164.211.225 | x | 604800 | GREAT | exposed | no | 3 |
| 64.0.55.201 | x | 604800 | GREAT | exposed | no | 3 |
| 68.68.18.197 | x | 604800 | GREAT | exposed | no | 3 |
| 72.14.189.120 | x | 604800 | GREAT | exposed | no | 3 |
| 69.164.196.21 | x | 604800 | GREAT | - | no | 4 |
| 208.74.121.196 | - | - | - | - | - | - |
| 72.232.162.195 | x | 604800 | GREAT | - | no | 4 |
| 128.173.89.246 | x | 604800 | GREAT | exposed | yes | 2 |
| 208.43.144.56 | x | 604800 | GREAT | - | yes | 3 |
| 67.159.25.26 | - | - | - | - | - | - |
Report stats:
TTL: Max 2592000 / Min 86400 / Med 604800
Open emitter: 34/42
Rand Ports: 36(GREAT)/1(POOR)
Version: 22/37
RD flag: 17(yes)/22(no)/4(time out)
And Rating stats:
During the tests was detected that a server uses a single port for the recursive resolution.In addition, the port used is the actual DNS service port (53/udp). This is a security problem because the server could become a victim of a cache poisoning or a denial of service.
20:40:49.834987 IP 119.31.230.42.53 > @8.%$.?.!|3.53: 27952 [1au] A? 26524.subdomain.crabdance.com. (58)
20:40:49.835283 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 27952*- 1/1/2 A 1.111.1.111 (113)
20:40:50.662949 IP 119.31.230.42.53 >@8.%$.?.!|3.53: 56212 [1au] A? 18007.subdomain.crabdance.com. (58)
20:40:50.663301 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 56212*- 1/1/2 A 1.111.1.111 (113)
20:40:51.469681 IP 119.31.230.42.53 > @8.%$.?.!|3.53: 61742 [1au] A? 10214.subdomain.crabdance.com. (58)
20:40:51.470040 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 61742*- 1/1/2 A 1.111.1.111 (113)
20:40:52.361705 IP 119.31.230.42.53 > @8.%$.?.!|3.53: 57922 [1au] A? 31473.subdomain.crabdance.com. (58)
20:40:52.362052 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 57922*- 1/1/2 A 1.111.1.111 (113)
20:40:53.216820 IP 119.31.230.42.53 > @8.%$.?.!|3.53: 44946 [1au] A? 26389.subdomain.crabdance.com. (58)
20:40:53.217199 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 44946*- 1/1/2 A 1.111.1.111 (113)
20:40:54.024087 IP 119.31.230.42.53 >@8.%$.?.!|3.53: 21492 [1au] A? 26070.subdomain.crabdance.com. (58)
20:40:54.024431 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 21492*- 1/1/2 A 1.111.1.111 (113)
20:40:54.841505 IP 119.31.230.42.53 > @8.%$.?.!|3.53: 38277 [1au] A? 6472.subdomain.crabdance.com. (57)
20:40:54.841835 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 38277*- 1/1/2 A 1.111.1.111 (112)
20:40:56.073528 IP 119.31.230.42.53 > @8.%$.?.!|3.53: 39680 [1au] A? 5293.subdomain.crabdance.com. (57)
20:40:56.073886 IP @8.%$.?.!|3.53 > 119.31.230.42.53: 39680*- 1/1/2 A 1.111.1.111 (112)
Enlaces:
[+] www.opennicproject.org
[+] dns.measurement-factory.com/cgi-bin/openresolvercheck.pl/
[+] pastehtml.com/view/axwqfxv77.html (Anonymous DNS alternative propuse)
- Share this:
DNS, Hacktivismo
DNS, hacktivismo, opennic
June 28th, 2011
2 responses
2 responses
Do you want to comment?
Comments RSS and TrackBack Identifier URI ?
Comment now!