217.320traceroute
traceroute 时间:2021-05-17 阅读:()
AcuriouscaseofbrokenDNSresponsesBabakFarrokhiRIPE75AboutmeUnixSA(FreeBSD,Solaris,Linux)since1996IPNetworkingsince1997FreeBSDPortsTeamsince2004Enthusiasticcoder@farrokhiPrologueWhenitcomestonetwork,IalwayshavetrustissuesMostpeopleignorethosestrangenetworkbehaviorsOnlyafewpeopletaketheredpillandgodowntherabbithole.
.
.
ObservationOutgoingSMTPfailsduetoMXlookupfailuresonlycertaindomains(e.
g.
twitter.
com)Localresolverreturns"incorrect"responsePublicResolver(e.
g.
Google)alsoreturnedincorrectresponseIneededtolookdeeperintothisDowntherabbithole.
.
.
StrangeresponsesfrompublicresolversThisisnotwhatIexpectedtogetfromapublicresolver:%dig+short-tAtwitter.
com@8.
8.
8.
810.
10.
34.
34%dig+short-tAripe.
net@8.
8.
8.
8193.
0.
6.
139%dig-tMXtwitter.
com@8.
8.
8.
8;;Gotbadpacket:badlabeltype45bytes40108180000100010000000007747769twi7474657203636f6d00000c0001c00c00tter.
com.
.
.
.
.
.
.
.
0c000100000379000341414100.
.
.
.
.
.
y.
.
AAA.
NeedtotakeacloserlookNotobviousatfirstglance,buttimedeltaisstrange.
.
.
%tcpdump-ttt-c2-nqrripe.
pcapreadingfromPCAP-NGfileripe.
pcap00:00:00.
000000IP192.
168.
0.
132.
53425>8.
8.
8.
8.
53:UDP,length2700:00:00.
138933IP8.
8.
8.
8.
53>192.
168.
0.
132.
53425:UDP,length75%tcpdump-ttt-c2-nqrtwitter.
pcapreadingfromPCAP-NGfiletwitter.
pcap00:00:00.
000000IP192.
168.
0.
132.
58418>8.
8.
8.
8.
53:UDP,length2900:00:00.
028077IP8.
8.
8.
8.
53>192.
168.
0.
132.
58418:UDP,length45dnsping-AnewtoolisbornStartedasahumblePythonscripttosolvemyownproblemNotintendedtore-inventthewheelSimilaruserexperienceasthelegacyPING%.
/dnsping.
py-s8.
8.
8.
8-c3ripe.
netdnsping.
pyDNS:8.
8.
8.
8:53,hostname:ripe.
net,rdatatype:A32bytesfrom8.
8.
8.
8:seq=0time=200.
371ms32bytesfrom8.
8.
8.
8:seq=1time=217.
320ms32bytesfrom8.
8.
8.
8:seq=2time=236.
644ms---8.
8.
8.
8dnspingstatistics---3requeststransmitted,3responsesreceived,0%lostmin=200.
371ms,avg=218.
112ms,max=236.
644ms,stddev=18.
149msICMPvsDNSResponseTimes%ping-q-c108.
8.
8.
8PING8.
8.
8.
8(8.
8.
8.
8):56databytes---8.
8.
8.
8pingstatistics---10packetstransmitted,10packetsreceived,0.
0%packetlossround-tripmin/avg/max/stddev=124.
237/155.
044/227.
499/31.
464ms%.
/dnsping.
py-q-s8.
8.
8.
8-c3twitter.
comdnsping.
pyDNS:8.
8.
8.
8:53,hostname:twitter.
com,rdatatype:A---8.
8.
8.
8dnspingstatistics---3requeststransmitted,3responsesreceived,0%lostmin=12.
934ms,avg=21.
355ms,max=29.
425ms,stddev=8.
251msFirstanomalyDifferentdomainnamesbeingtreateddifferentlyAroguenameserverimpersonatingasGoogleResolverTheroguenameserverisclosetome(givenresponsetimes)WhereisitAndhowcanIfindoutdnstraceroute:TraceroutetoolforDNSprotocolSimilartolegacytraceroute,butforDNSprotocolSendoutactualDNSqueriesandexpectaresponseUsingTTLtricktomapthejourneyCouldnotuselegacytraceroutewithUDPprobesThetrafficredirectionisbasedonDNS"payload"RealvsRogueDNSServers%.
/dnstraceroute.
py-s8.
8.
8.
8ripe.
netdnstraceroute.
pyDNS:8.
8.
8.
8:53,hostname:ripe.
net,rdatatype:A1192.
168.
0.
1(192.
168.
0.
1)3.
912ms2*3192.
168.
10.
105(192.
168.
10.
105)15.
792ms4172.
17.
2.
1(172.
17.
2.
1)17.
063ms5172.
17.
2.
9(172.
17.
2.
9)11.
245ms6172.
19.
18.
5(172.
19.
18.
5)24.
862ms7172.
19.
17.
2(172.
19.
17.
2)18.
972ms810.
201.
177.
41(10.
201.
177.
41)13.
261ms910.
10.
53.
190(10.
10.
53.
190)14.
240ms10185.
100.
209.
117(185.
100.
209.
117)176.
592ms11*12de-cix.
fra.
google.
com(80.
81.
192.
108)152.
757ms13108.
170.
251.
193(108.
170.
251.
193)90.
347ms14google-public-dns-a.
google.
com(8.
8.
8.
8)185.
401ms%.
/dnstraceroute.
py-s8.
8.
8.
8twitter.
comdnstraceroute.
pyDNS:8.
8.
8.
8:53,hostname:twitter.
com,rdatatype:A1192.
168.
0.
1(192.
168.
0.
1)3.
160ms2*3192.
168.
10.
105(192.
168.
10.
105)5.
985ms4172.
17.
2.
1(172.
17.
2.
1)8.
535ms5172.
17.
2.
9(172.
17.
2.
9)20.
617ms6172.
19.
18.
5(172.
19.
18.
5)7.
823ms7*8*9google-public-dns-a.
google.
com(8.
8.
8.
8)19.
557msBacktothecaseofbrokenMXRoguenameserveralsoreturns"broken"responsesOnlytocertaintypeofqueries(e.
g.
MX)%dig-tMXtwitter.
com@8.
8.
8.
8;;Gotbadpacket:badlabeltype45bytes40108180000100010000000007747769twi7474657203636f6d00000c0001c00c00tter.
com.
.
.
.
.
.
.
.
0c000100000379000341414100.
.
.
.
.
.
y.
.
AAA.
Lookingatpacketsagain.
.
.
ResponsetoMXrequestismalformedServerrespondedwithPTRresponseRDLENGTHis3butRDATAfieldcontains4bytesAdditionalbytewasalwaysNULLSeemslikeabugincodeQueriedtop10,000domainnames[1],received139brokenresponses[2]UncoveringtherougeresolveraddressQueryTXTrecordfrommaxmind.
test-ipv6.
comIttellsyouthepublicaddressofyourresolverTheaddressshouldbelongtoGoogle(AS15169)AnythingelsemeansMITMUsingRIPEAtlastoseeifthisisaregularpractice%dig+short-tTXTmaxmind.
test-ipv6.
com@8.
8.
4.
4"ip='74.
125.
74.
14'as='15169'isp='Google'country='FI'"IsitjustmeLet'saskRIPEAtlas500Probesworldwide-484Replied(DNS/UDP/IPv4)475Good(Req.
fromGoogleaddressspace)~98%9Bad(Req.
fromnon-Googleaddressspace)~2%Same500probes-484Replied(DNS/TCP/IPv4)479Good~99%5Bad~1%ThelogicbehindDNStrafficredirectionWhatisthemotivationTherearemainlytworeasons:1.
Privacyprotection(TheGood)Preventsendingrequesttousehaveyourend-pointIPaddressasitssourceaddressFilteroutmalwareslookingfortheirC&C2.
DNSbasedserviceredirection(TheEvil)RestrictyouraccessRedirectyourtrafficCountermeasuresForcelocalresolvertouseTCPDNSCrypt(dnscrypt.
org)OpenDNSsupportsit,desktopclientsavailableDNSoverTLS/DTLS(RFC7858and8094)DNSPrivacyProject(dnsprivacy.
org)offerstutorials,tools,recommendationsandtestserversDNSSECFromtop100domainnamesonly2ofthemaresigned[3]WhatiftheroguenameserverdoesnotvalidateDNSSECFinalwordsDon'ttrustapublicDNSresolver,useyourownThereain'tnosuchthingasafreelunch(TANSTAAFL)Stubresolversareeasytosetupanduse(e.
g.
Stubby)Don'ttrustyourupstream,encryptasmuchaspossibleDNScontainsimportantinformationAsperRFC7258:"PervasiveMonitoringIsanAttack"Toolsofthetradednsping,dnstracerouteanddnsevalarepartof"dnsdiagtoolkit"onGitHub[4]LookingforfeedbackandideasfromcommunityCombiningwithothertools(e.
g.
RIPEAtlas)toperformmorecomplexbehavioranalysisSuggestion:dnstracerouteinRIPEAtlasprobesQuestionsResources[1]https://github.
com/opendns/public-domain-lists[2]https://gist.
github.
com/farrokhi/0b56ae06813391be9164[3]https://gist.
github.
com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8[4]https://github.
com/farrokhi/dnsdiagAlsomyarticlesonRIPELabsdiscussionthesameissue:https://labs.
ripe.
net/Members/babak_farrokhi
.
.
ObservationOutgoingSMTPfailsduetoMXlookupfailuresonlycertaindomains(e.
g.
twitter.
com)Localresolverreturns"incorrect"responsePublicResolver(e.
g.
Google)alsoreturnedincorrectresponseIneededtolookdeeperintothisDowntherabbithole.
.
.
StrangeresponsesfrompublicresolversThisisnotwhatIexpectedtogetfromapublicresolver:%dig+short-tAtwitter.
com@8.
8.
8.
810.
10.
34.
34%dig+short-tAripe.
net@8.
8.
8.
8193.
0.
6.
139%dig-tMXtwitter.
com@8.
8.
8.
8;;Gotbadpacket:badlabeltype45bytes40108180000100010000000007747769twi7474657203636f6d00000c0001c00c00tter.
com.
.
.
.
.
.
.
.
0c000100000379000341414100.
.
.
.
.
.
y.
.
AAA.
NeedtotakeacloserlookNotobviousatfirstglance,buttimedeltaisstrange.
.
.
%tcpdump-ttt-c2-nqrripe.
pcapreadingfromPCAP-NGfileripe.
pcap00:00:00.
000000IP192.
168.
0.
132.
53425>8.
8.
8.
8.
53:UDP,length2700:00:00.
138933IP8.
8.
8.
8.
53>192.
168.
0.
132.
53425:UDP,length75%tcpdump-ttt-c2-nqrtwitter.
pcapreadingfromPCAP-NGfiletwitter.
pcap00:00:00.
000000IP192.
168.
0.
132.
58418>8.
8.
8.
8.
53:UDP,length2900:00:00.
028077IP8.
8.
8.
8.
53>192.
168.
0.
132.
58418:UDP,length45dnsping-AnewtoolisbornStartedasahumblePythonscripttosolvemyownproblemNotintendedtore-inventthewheelSimilaruserexperienceasthelegacyPING%.
/dnsping.
py-s8.
8.
8.
8-c3ripe.
netdnsping.
pyDNS:8.
8.
8.
8:53,hostname:ripe.
net,rdatatype:A32bytesfrom8.
8.
8.
8:seq=0time=200.
371ms32bytesfrom8.
8.
8.
8:seq=1time=217.
320ms32bytesfrom8.
8.
8.
8:seq=2time=236.
644ms---8.
8.
8.
8dnspingstatistics---3requeststransmitted,3responsesreceived,0%lostmin=200.
371ms,avg=218.
112ms,max=236.
644ms,stddev=18.
149msICMPvsDNSResponseTimes%ping-q-c108.
8.
8.
8PING8.
8.
8.
8(8.
8.
8.
8):56databytes---8.
8.
8.
8pingstatistics---10packetstransmitted,10packetsreceived,0.
0%packetlossround-tripmin/avg/max/stddev=124.
237/155.
044/227.
499/31.
464ms%.
/dnsping.
py-q-s8.
8.
8.
8-c3twitter.
comdnsping.
pyDNS:8.
8.
8.
8:53,hostname:twitter.
com,rdatatype:A---8.
8.
8.
8dnspingstatistics---3requeststransmitted,3responsesreceived,0%lostmin=12.
934ms,avg=21.
355ms,max=29.
425ms,stddev=8.
251msFirstanomalyDifferentdomainnamesbeingtreateddifferentlyAroguenameserverimpersonatingasGoogleResolverTheroguenameserverisclosetome(givenresponsetimes)WhereisitAndhowcanIfindoutdnstraceroute:TraceroutetoolforDNSprotocolSimilartolegacytraceroute,butforDNSprotocolSendoutactualDNSqueriesandexpectaresponseUsingTTLtricktomapthejourneyCouldnotuselegacytraceroutewithUDPprobesThetrafficredirectionisbasedonDNS"payload"RealvsRogueDNSServers%.
/dnstraceroute.
py-s8.
8.
8.
8ripe.
netdnstraceroute.
pyDNS:8.
8.
8.
8:53,hostname:ripe.
net,rdatatype:A1192.
168.
0.
1(192.
168.
0.
1)3.
912ms2*3192.
168.
10.
105(192.
168.
10.
105)15.
792ms4172.
17.
2.
1(172.
17.
2.
1)17.
063ms5172.
17.
2.
9(172.
17.
2.
9)11.
245ms6172.
19.
18.
5(172.
19.
18.
5)24.
862ms7172.
19.
17.
2(172.
19.
17.
2)18.
972ms810.
201.
177.
41(10.
201.
177.
41)13.
261ms910.
10.
53.
190(10.
10.
53.
190)14.
240ms10185.
100.
209.
117(185.
100.
209.
117)176.
592ms11*12de-cix.
fra.
google.
com(80.
81.
192.
108)152.
757ms13108.
170.
251.
193(108.
170.
251.
193)90.
347ms14google-public-dns-a.
google.
com(8.
8.
8.
8)185.
401ms%.
/dnstraceroute.
py-s8.
8.
8.
8twitter.
comdnstraceroute.
pyDNS:8.
8.
8.
8:53,hostname:twitter.
com,rdatatype:A1192.
168.
0.
1(192.
168.
0.
1)3.
160ms2*3192.
168.
10.
105(192.
168.
10.
105)5.
985ms4172.
17.
2.
1(172.
17.
2.
1)8.
535ms5172.
17.
2.
9(172.
17.
2.
9)20.
617ms6172.
19.
18.
5(172.
19.
18.
5)7.
823ms7*8*9google-public-dns-a.
google.
com(8.
8.
8.
8)19.
557msBacktothecaseofbrokenMXRoguenameserveralsoreturns"broken"responsesOnlytocertaintypeofqueries(e.
g.
MX)%dig-tMXtwitter.
com@8.
8.
8.
8;;Gotbadpacket:badlabeltype45bytes40108180000100010000000007747769twi7474657203636f6d00000c0001c00c00tter.
com.
.
.
.
.
.
.
.
0c000100000379000341414100.
.
.
.
.
.
y.
.
AAA.
Lookingatpacketsagain.
.
.
ResponsetoMXrequestismalformedServerrespondedwithPTRresponseRDLENGTHis3butRDATAfieldcontains4bytesAdditionalbytewasalwaysNULLSeemslikeabugincodeQueriedtop10,000domainnames[1],received139brokenresponses[2]UncoveringtherougeresolveraddressQueryTXTrecordfrommaxmind.
test-ipv6.
comIttellsyouthepublicaddressofyourresolverTheaddressshouldbelongtoGoogle(AS15169)AnythingelsemeansMITMUsingRIPEAtlastoseeifthisisaregularpractice%dig+short-tTXTmaxmind.
test-ipv6.
com@8.
8.
4.
4"ip='74.
125.
74.
14'as='15169'isp='Google'country='FI'"IsitjustmeLet'saskRIPEAtlas500Probesworldwide-484Replied(DNS/UDP/IPv4)475Good(Req.
fromGoogleaddressspace)~98%9Bad(Req.
fromnon-Googleaddressspace)~2%Same500probes-484Replied(DNS/TCP/IPv4)479Good~99%5Bad~1%ThelogicbehindDNStrafficredirectionWhatisthemotivationTherearemainlytworeasons:1.
Privacyprotection(TheGood)Preventsendingrequesttousehaveyourend-pointIPaddressasitssourceaddressFilteroutmalwareslookingfortheirC&C2.
DNSbasedserviceredirection(TheEvil)RestrictyouraccessRedirectyourtrafficCountermeasuresForcelocalresolvertouseTCPDNSCrypt(dnscrypt.
org)OpenDNSsupportsit,desktopclientsavailableDNSoverTLS/DTLS(RFC7858and8094)DNSPrivacyProject(dnsprivacy.
org)offerstutorials,tools,recommendationsandtestserversDNSSECFromtop100domainnamesonly2ofthemaresigned[3]WhatiftheroguenameserverdoesnotvalidateDNSSECFinalwordsDon'ttrustapublicDNSresolver,useyourownThereain'tnosuchthingasafreelunch(TANSTAAFL)Stubresolversareeasytosetupanduse(e.
g.
Stubby)Don'ttrustyourupstream,encryptasmuchaspossibleDNScontainsimportantinformationAsperRFC7258:"PervasiveMonitoringIsanAttack"Toolsofthetradednsping,dnstracerouteanddnsevalarepartof"dnsdiagtoolkit"onGitHub[4]LookingforfeedbackandideasfromcommunityCombiningwithothertools(e.
g.
RIPEAtlas)toperformmorecomplexbehavioranalysisSuggestion:dnstracerouteinRIPEAtlasprobesQuestionsResources[1]https://github.
com/opendns/public-domain-lists[2]https://gist.
github.
com/farrokhi/0b56ae06813391be9164[3]https://gist.
github.
com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8[4]https://github.
com/farrokhi/dnsdiagAlsomyarticlesonRIPELabsdiscussionthesameissue:https://labs.
ripe.
net/Members/babak_farrokhi
- 217.320traceroute相关文档
- http://www.wand.net.nz/scamper/
- 路由器traceroute
- 邻居traceroute
- colorizationtraceroute
- 呼叫traceroute
- 报文traceroute
免费注册宝塔面板账户赠送价值3188礼包适合购买抵扣折扣
对于一般的用户来说,我们使用宝塔面板免费版本功能还是足够的,如果我们有需要付费插件和专业版的功能,且需要的插件比较多,实际上且长期使用的话,还是购买付费专业版或者企业版本划算一些。昨天也有在文章中分享年中促销活动。如今我们是否会发现,我们在安装宝塔面板后是必须强制我们登录账户的,否则一直有弹出登录界面,我们还是注册一个账户比较好。反正免费注册宝塔账户还有代金券赠送。 新注册宝塔账户送代金券我们注册...
TNAHosting($5/月)4核/12GB/500GB/15TB/芝加哥机房
TNAHosting是一家成立于2012年的国外主机商,提供VPS主机及独立服务器租用等业务,其中VPS主机基于OpenVZ和KVM架构,数据中心在美国芝加哥机房。目前,商家在LET推出芝加哥机房大硬盘高配VPS套餐,再次刷新了价格底线,基于OpenVZ架构,12GB内存,500GB大硬盘,支持月付仅5美元起。下面列出这款VPS主机配置信息。CPU:4 cores内存:12GB硬盘:500GB月流...
云如故枣庄高防(49元)大内存2H2G49元8H8G109元
云如故是一家成立于2018年的国内企业IDC服务商,由山东云如故网络科技有限公司运营,IDC ICP ISP CDN VPN IRCS等证件齐全!合法运营销售,主要从事自营高防独立服务器、物理机、VPS、云服务器,虚拟主机等产品销售,适合高防稳定等需求的用户,可用于建站、游戏、商城、steam、APP、小程序、软件、资料存储等等各种个人及企业级用途。机房可封UDP 海外 支持策略定制 双层硬件(傲...
traceroute为你推荐
-
画风不同神情相同的各种尊敬的浪潮英信服务器用户:机构apple支持ipadphotoshop技术什么是ps技术tcpip上的netbios禁用tcp/ip上的netbios对网络应用软件的正常运行有没有影响?win7telnetwindows7的TELNET服务在哪里开启啊如何用itunes备份如何使用iTunes最新版进行备份?急!!css选择器CSS中的选择器分几种?win7还原系统电脑怎么恢复出厂设置win7旗舰版