Boy, in just the last week, I’ve seen a number of notable developments in the world of DNS. You’d think that, after 25+ years, activity would die down a little!
First, OpenDNS and Google Public DNS announced that they’re going to start trials of the extension described in draft-vandergaast-edns-client-subnet-00. Basically, that Internet Draft proposes a new EDNS0 option that would allow a recursive name server to include the IP address of the original stub resolver in the queries it sends to authoritative name servers. While at first blush that may not make sense – why would an authoritative name server care what the original querier’s IP address was? – recall that “authoritative name servers” are in many cases fancy global server load balancers run by content delivery networks, and that they want to decide where to direct you based on whereabouts on the Internet you live. Until now, if you used big recursive name servers in the sky such as OpenDNS or Google Public DNS, you’d always look to a CDN like you were coming from whichever anycast instance you’d happened to be directed to. Now you can actually get a response that’s meant for you.
There’s a little bit of controversy over this because the trials are using an EDNS0 “code point” that isn’t officially allocated for this purpose. There is no such code point yet, because to get one the folks behind the proposal need to have their Internet Draft advanced to an RFC. You can’t blame the authors for wanting to get their trial going, but we can’t just be grabbing any old code points we want, can we? That way lies madness.
In other DNS news, a Sri Lankan branch of Anonymous claims to have hacked the name servers of Apple, Microsoft and Symantec. The press was a little vague about what actually happened, referring to it as a “DNS Cache Snoop Poisoning” attack, which sounds like a portmanteau of two very different DNS attacks to me. I found the group’s claims online and what they actually did seems innocuous: They tried reverse-mapping IP addresses in networks registered to the companies and, when they got results, they printed them. So the end result of their shenanigans appears to be a snippet of the old host table; for example:
There’s no evidence that the companies’ name servers or the hosts identified were breached. As an AAPL shareholder, I’m not going to sweat this.