The beginning, end, and analysis of DNS pollution nationwide in January 21, 2014

The beginning, end, and analysis of DNS pollution nationwide in January 21, 2014

Ovear was debugging a new server at around on June 30, January 21, and it was found that it suddenly failed .. Ping the following command and find that all Ovear domain names point to the IP Address [65.49.2.178. The first reaction of Ovear is that DNSPOD is hacked again! Why is DNSPOD hacked? In fact, DNSPOD encountered a similar problem before, resulting in all domain names kneeling, just as the Ovear domain name also has several domain names tested there, then, let's talk to a group. As a result, the Administrator said that their DNS was contaminated, and Ovear thought it would not be because all DNS servers in China were contaminated. As a result, I spoke about it. It is also a national hijacking.

Then Ovear is curious. What is the problem ~ Who can do this ~ So we have the following analysis and popular science ~

------ The following content is caused by viruses in Ovear's home appliance brain. It has nothing to do with me. Decline cross-province --------

After talking about balablabala for so long, some people must have asked me what it is, what it is, and what it has to do with it!

So what is DNS? Ovear is here.

We generally access through the Domain name [Domain]. How does Alibaba DNS start with "D? That's right! There is a relationship: the full Name of DNS is actually [Domain Name System] translated as a Domain Name System.

There is only an IP address on the Internet, and an IP address is actually a string of numbers, which is equivalent to the house number in your house. If you want to find you on the internet, you must use this, so IP is unique for everyone. But the fourth generation of IP is such a http://XXX.XXX.XXX.XXX, how hard to remember ah, who will have nothing to remember IP, not to mention the next day so long IPV6, remember not to have to live!

At this time, a smart scientist came out, and we added an alias to the IP address. You can know this IP address without remembering it! So we have the Domain name [Domain.

When you access the Ovear's Blog

The computer's DNS resolution system will automatically ask the DNS server: Does Ni know that the IP address of the Ovear's Blog is Shenma?

DNS: find it for you. Sorry, I found it. The IP address is [122.10.94.169]. Ovear's computer: Thank you. Goodbye, DNS: Well.

The reality is that, ask people who know Michael JACOB: Do you know where Michael Jacob is? Answer in Nanshan District balabalabla.

Of course, this explanation is not very appropriate, because a DNS server cannot know the addresses of all domain names, because this requires a huge cost, So recursive DNS and root DNS appear at this time.

(Due to the length of the article, Ovear is actually a problem. Ovear will write another article to elaborate on the working principle of DNS, or refer to [Domain Name System] QAQ)

(Supplement: QAQ Ovear is a bit simple here. In fact, root dns refers to a total of 13 root dns servers worldwide, records the TOPLEVEL Domain Server [top-level Domain name root Server] corresponding to each suffix, and then [authoritative DNS Server]. it is the DNS server used for this domain name (which can be seen in whois)

Summary:

[Root server]: 13 A-M worldwide [. http://root-servers.net], stores each suffix Domain Name of the [top-level domain name root server] [top-level domain name root server]: Each suffix corresponding to the DNS server, the authoritative DNS [authoritative DNS] that stores the [suffix] All domain names: the DNS used by this domain name. For example, if the DNS server I set is DNSPOD, the authoritative DNS is DNSPOD. You can see it in WHOIS (a thing for viewing Domain Name Information. Stores this domain name [corresponding information], such as IP address ~

So the correct parsing process should be like the following

The DNS used by the user (edge DNS)-> (the root DNS will be pushed many levels online)-> top-level domain name root server-> authoritative DNS)

What is root DNS? Every domain name has a suffix. For example, ovear is suffixed with [. info. Then there is a dns server dedicated to recording the suffix [. info]. The same applies to other suffixes. This DNS is the root DNS of the domain name.

What about recursive DNS? In fact, recursive DNS is an agent used to relieve the [root DNS] pressure. If you ask [root DNS], then [root DNS] will not be paralyzed long ago. After all, the address of a person (website) does not change frequently. Therefore, the TTL statement is adopted. According to DNS regulations, what about TTL time, everyone thinks that the address of your home (the IP address pointed to by the domain name) will not change, so the agent [recursive DNS] at this time, if you ask him twice, he will directly tell you the IP address that the domain name directs. In this way, the [root DNS] load is too large.

By the way, this figure can accurately reflect what we mentioned earlier ~

After talking about this for a long time, everything goes through. What is the relationship between DNS and this incident ~

First, let's look at the figure.

Watt! So many domain names point to the same IP address. What is the case? 0. In fact, this is a typical [DNS Pollution.

We know that there are two protocols on the Internet: TCP and UDP ′) I am not a computer student ).

The main difference between TCP and UDP is whether the reliability of information transmission can be ensured. No matter whether the message reaches the target or not, UDP only sends the message. Therefore, UDP is much faster than TCP, but its reliability is not good.

By default, DNS queries use UDP, which can be hijacked. Directly intercept the UDP packet on any transmission path, and then return it to the receiver.

He said that everyone knows about the issue of the incident. The hijacking in such a wide range must be carried out on the backbone networks of various provinces and cities, and such big data can be processed, at the same time, it can control so many backbone networks .. Too many errors... That's right! It's ~ As for what it is, Ovear won't talk about it here. Otherwise, we may not be able to see Ovear's QAQ.

Here, Ovear is going to manually check whether it is speculative or not? So I got this image (From XiaoXin)

At the same time, O & M also began tracking queries on servers in various regions, and found that the resolution time across the country was around 25 ms. At this time, the conclusion came out.

This is obvious. It must have been *** done ~~ So Ovear curiously checked out what the IP address is and why it points to it. So Ovear found some interesting things ~ (65.49.2.0/24)

The initiator of the event is shown on the other side.

So why does a FW do this? Ovear makes a no-responsibility speculation here. The most likely reason is that an FW employee originally wanted to block this IP segment, however, I accidentally entered the DNS pollution option, and did not write the pollution target, so the global pollution was caused ~

However, some children's shoes may ask why they say it's okay to use 8.8.8.8 ~

In fact, this is not correct, because Ovear used 8.8.8.8 before. The above also mentioned the default UDP query used for DNS query, so no matter what you use, it is still true to hijack. In fact, 8.8.8.8 is okay because the pollution event has basically ended. Why can't other domestic DNS servers be used after the pollution event ends, and Goole DNS can be used normally ~ So Ovear found an interesting image ~

Let me explain the purpose of the above command ~ This command is used to query the domain name directly from the DNS server ~

Among them, the [-vc] parameter is mandatory to use TCP to query the DNS server, so as to avoid UDP-contaminated map guns.

So why Will DNS be contaminated after the pollution ends? In fact, the reason is very simple. As Ovear mentioned earlier, [recursive DNS] requires querying [root DNS], while the default query method is UDP, naturally, it is polluted. Ovear mentioned TTL before ~

During the TTL period, [recursive DNS] based on the protocol directly caches the results on your own, and does not query [root DNS] any more, so the DNS in China caches the error Results ~

Google's DNS servers are basically outside China, so the query has little impact, but many domain names in China use DNSPOD and DNSLA's DNS, So Google goes to China to check, it will still be affected.

Therefore, to completely avoid this impact, there are two conditions

1. Your Domain Name's DNS must be abroad

2. the DNS you query must be in a foreign country, and you need to query it over TCP during the contaminated period.

In this way, this problem can be avoided.

Then Ovear finds out the TTL and then checks the TTL.

If no manual intervention is provided, this event will continue for quite a long time ~.